[Bug 1880197] Re: mokmanager is signed using ephemeral key, instead of Vendor Key
Dimitri John Ledkov
1880197 at bugs.launchpad.net
Fri May 22 17:38:40 UTC 2020
I guess my general level of paranoia w.r.t number of roots of trust, and
ability to inspect them.
Improved subject would help a lot.
Can that shim cert sign online signing subkeys? Can the shim cert sign
grub? Kernel? Kernel Modules? Are the questions I don't even want to
think about.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197
Title:
ephemeral key used to sign mokmanager should have better certificate
attributes
Status in shim-signed package in Ubuntu:
Triaged
Bug description:
I try to boot mokmanager. It fails to boot, as it's not signed with
canonical online key, chained to canonical CA, which shim tries to
validate and fails. I see scary blue screen of death with validation
errors.
# sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=SomeCity/O=SomeOrg
image signature certificates:
- subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
issuer: /C=US/L=SomeCity/O=SomeOrg
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?
Maybe as separate shim-canonical & shim-canonical-signed packages,
which chain off src:shim? (since we can't easily rebuild shim)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions
More information about the foundations-bugs
mailing list