[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on

Steve Langasek 1939565 at bugs.launchpad.net
Mon Aug 30 16:51:39 UTC 2021 

On Sun, Aug 29, 2021 at 09:02:38PM -0000, Jacob wrote:

> Could we add an option to `update-secureboot-policy` so that it can
> generate a key that works for signing modules & kernels ?

This would be a low priority to change, and we would need to take a good
deal of care around the user interface and documentation for this because we
do not want to be giving users a gun to point at their feet.

The only reason to add a key to MOK that can be used for signing kernels is
if you're not using an official Ubuntu kernel.  I think the documentation
for how to generate keys for this belongs with instructions around booting
unofficial kernels; and wherever that gets documented, it can just as well
lay out the full openssl invocation instead of pointing to
update-secureboot-policy.  And NOT putting it in update-secureboot-policy
makes it less likely that users are going to cargo-cult a one-liner command
without context.

> As an aside, if an attacker has compromised a system and they generate a
> signing key ... they could modify and attempt to enrol a key that allows
> kernel signing ...

The "attempt to enroll" requires the user to interface with MokManager at
the console.  It is by design that you cannot non-interactively enroll a MOK
from userspace.  So this scenario is already accounted for and still
prevents an attacker from getting persistent access to the firmware without
involvement of someone with control of the local console.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565

Title:
  kernel signed by mok failed to boot if secure boot is on

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  Incomplete

Bug description:
  On Focal, create a mok and enroll it, use it to sign test kernel as
  the secure boot is on.

  # sh -x test.sh 
  + sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
  Signature verification OK
  + openssl x509 -in TestKer.pem -outform der -out TestKernel.der
  + mokutil --test-key TestKernel.der
  TestKernel.der is already enrolled

  As the secure boot is on, can't load above kernel.

  The error message is:

  /boot/vmlinuz-5.13.0-9010-oem has invalid signature.

  Machine: Latitude 7520
  bios: 1.6.0
  shim-signed: 1.40.6+15.4-0ubuntu7
  grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions

More information about the foundations-bugs mailing list