[Bug 1880197] Re: mokmanager is signed using ephemeral key, instead of Vendor Key

Steve Langasek 1880197 at bugs.launchpad.net
Fri May 22 17:23:47 UTC 2020 

mokmanager is part of shim and you should always have the matching
versions of mmx64.efi and shimx64.efi on the ESP, so the use of
ephemeral vs archive key is not material at runtime for a properly-
installed system.  Reducing the overall number of asset types signed
directly with the online signing key is preferable in terms of
management of our key hierarchy.  And if we were to sign it directly
with the archive key, I would want it split out of the shim package
entirely and treated as a separate source, with a separate upload and
signing cycle - which is a lot of extra work for very little benefit.

If the issue is that the description on the ephemeral certificate is
opaque, that is something we could address in the shim source instead.

Currently:

$ openssl pkcs7 -noout -print_certs -inform DER -in /tmp/detached.der
subject=C = US, L = SomeCity, O = SomeOrg, CN = shim

issuer=C = US, L = SomeCity, O = SomeOrg


$

I can see how we might want to improve on that.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197

Title:
  mokmanager is signed using ephemeral key, instead of Vendor Key

Status in shim-signed package in Ubuntu:
  New

Bug description:
  I try to boot mokmanager. It fails to boot, as it's not signed with
  canonical online key, chained to canonical CA, which shim tries to
  validate and fails. I see scary blue screen of death with validation
  errors.

  # sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi 
  warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
  signature 1
  image signature issuers:
   - /C=US/L=SomeCity/O=SomeOrg
  image signature certificates:
   - subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
     issuer:  /C=US/L=SomeCity/O=SomeOrg

  
  shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?

  Maybe as separate shim-canonical & shim-canonical-signed packages,
  which chain off src:shim? (since we can't easily rebuild shim)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions

More information about the foundations-bugs mailing list