[Bug 1929454] Re: Bios measurements do not contain measurements for the kernel binary and kernel signer cert.
Steve Langasek
1929454 at bugs.launchpad.net
Mon May 24 18:54:38 UTC 2021
> On Ubuntu 20.04, the binary_bios_measurements
> do NOT contain the measurements for the kernel
> binary and the kernel signer cert that is
> typically measured by the shim.
It is my understanding that it is correct to not measure the certificate
for the kernel: per the specs, because grub and the kernel are signed
with keys that chain back to the same cert trusted by shim, this
certificate should only be measured once. There were bugs in earlier
versions of shim that have since been fixed.
I do not recall if there were reasons to stop measuring the hash of the
kernel, or to change where it is measured.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1929454
Title:
Bios measurements do not contain measurements for the kernel binary
and kernel signer cert.
Status in shim-signed package in Ubuntu:
New
Bug description:
On Ubuntu 20.04, the binary_bios_measurements do NOT contain the
measurements for the kernel binary and the kernel signer cert that is
typically measured by the shim.
This is behavior is NOT consistent with Ubuntu 18.04 where the
measurements are present.
Attaching the measurements from Ubuntu 20.04 for reference.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1929454/+subscriptions
More information about the foundations-bugs
mailing list