[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#860716: shim fails to load MokManager (mmx64.efi) in the case of self-signed grub

On Wed, Apr 19, 2017 at 12:24:14PM +0300, Mikhail Kshevetskiy wrote:
>Package: shim
>Version: 0.9+1474479173.6c180c6-1
>Severity: important
>
>I test shim-signed with qemu in secure boot environment. Here is the steps
>to reproduce a problem:
>
>1) install shim, shim-signed, qemu and ovmf packages
>
>2) get EnrollDefaultKeys.efi from
>   https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/os/Packages/e/edk2-ovmf-20170209git296153c5-3.fc27.noarch.rpm
>
>3) create a efi_test directory with shim binaries, grub and EnrollDefaultKeys.efi files
>
>   mkdir efi_test
>   cp /usr/lib/shim/{shimx64,mmx64,fbx64}.efi.signed efi_test/
>   rename 's/[.]signed$//' efi_test/*
>
>   cp /boot/efi/EFI/debian/grubx64.efi efi_test/    [this step is significant]
>
>   cp EnrollDefaultKeys.efi efi_test/     [see step (2)]
>
>4) so we have in efi_test/
>
>   LANG=C ls -la efi_test/
>
>   drwxr-xr-x 2 kl kl    4096 Apr 19 12:10 .
>   drwxr-xr-x 5 kl kl    4096 Apr 19 11:52 ..
>   -rw-r--r-- 1 kl kl   20032 Apr 19 11:55 EnrollDefaultKeys.efi
>   -rw-r--r-- 1 kl kl    9184 Apr 19 12:05 NvVars
>   -rw-r--r-- 1 kl kl   72144 Apr 19 11:52 fbx64.efi
>   -rwxr-xr-x 1 kl kl  121856 Apr 19 12:10 grubx64.efi
>   -rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi
>   -rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi
>
>5) run qemu with ovmf firmware
>
>   qemu-system-x86_64 -m 1024 -enable-kvm -machine q35,smm=on,accel=kvm \
>                      -bios /usr/share/ovmf/OVMF.fd \
>                      -drive media=disk,file=fat:rw:efi_test
>
>6) import microsoft keys and enable secure boot (from EFI shell)
>
>   Shell> fs0:
>   FS0:\> EnrollDefaultKeys.efi
>   info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1
>   info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0
>   info: success
>
>7) reboot virtual machine (from EFI shell)
>
>   FS0:\> reset
>
>8) run shim (from EFI shell)
>
>   Shell> fs0:
>   FS0:\> shimx64.efi
>
>9) expected result:
>
>   MokManager (mmx64.efi) will be started
>
>10) actual result:
>
>    Verification failed: (15) Access Denied
>
>    Failed to load image: Access Denied
>    start_image() returned Access Denied
>    start_image() returned Access Denied
>
>    and we back to EFI shell.
>
>    Thus it's not possible to install user keys or add user
>    loader to trusted binary database.

Hi Mikhail,

I'm hoping that our current set of packages will fix this bug, as
we've moved to a much newer upstream version of shim which includes
the commit you point at. Once we have our new shim signed with the
Microsoft CA, could you retry your test and confirm please?

Cheers,

Steve

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
          note stuck to the mini-bar saying "Paul: This fridge and
          fittings are the correct way around and do not need altering"
Reply to: