Bug#860716: marked as done (shim fails to load MokManager (mmx64.efi) in the case of self-signed grub)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 23 Apr 2019 19:10:43 +0100
with message-id <20190423181043.GZ25446@tack.einval.com>
and subject line Re: Bug#860716: shim fails to load MokManager (mmx64.efi) in the case of self-signed grub
has caused the Debian Bug report #860716,
regarding shim fails to load MokManager (mmx64.efi) in the case of self-signed grub
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
860716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860716
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: shim fails to load MokManager (mmx64.efi) in the case of self-signed grub
• From: Mikhail Kshevetskiy <mikhail.kshevetskiy@gmail.com>
• Date: Wed, 19 Apr 2017 12:24:14 +0300
• Message-id: <149259385486.31167.8416667501386541890.reportbug@laska.lan>

Package: shim
Version: 0.9+1474479173.6c180c6-1
Severity: important

I test shim-signed with qemu in secure boot environment. Here is the steps
to reproduce a problem:

1) install shim, shim-signed, qemu and ovmf packages

2) get EnrollDefaultKeys.efi from
   https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/os/Packages/e/edk2-ovmf-20170209git296153c5-3.fc27.noarch.rpm

3) create a efi_test directory with shim binaries, grub and EnrollDefaultKeys.efi files

   mkdir efi_test
   cp /usr/lib/shim/{shimx64,mmx64,fbx64}.efi.signed efi_test/
   rename 's/[.]signed$//' efi_test/*

   cp /boot/efi/EFI/debian/grubx64.efi efi_test/    [this step is significant]

   cp EnrollDefaultKeys.efi efi_test/     [see step (2)]

4) so we have in efi_test/

   LANG=C ls -la efi_test/

   drwxr-xr-x 2 kl kl    4096 Apr 19 12:10 .
   drwxr-xr-x 5 kl kl    4096 Apr 19 11:52 ..
   -rw-r--r-- 1 kl kl   20032 Apr 19 11:55 EnrollDefaultKeys.efi
   -rw-r--r-- 1 kl kl    9184 Apr 19 12:05 NvVars
   -rw-r--r-- 1 kl kl   72144 Apr 19 11:52 fbx64.efi
   -rwxr-xr-x 1 kl kl  121856 Apr 19 12:10 grubx64.efi
   -rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi
   -rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi

5) run qemu with ovmf firmware

   qemu-system-x86_64 -m 1024 -enable-kvm -machine q35,smm=on,accel=kvm \
                      -bios /usr/share/ovmf/OVMF.fd \
                      -drive media=disk,file=fat:rw:efi_test

6) import microsoft keys and enable secure boot (from EFI shell)

   Shell> fs0:
   FS0:\> EnrollDefaultKeys.efi
   info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1
   info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0
   info: success

7) reboot virtual machine (from EFI shell)

   FS0:\> reset

8) run shim (from EFI shell)

   Shell> fs0:
   FS0:\> shimx64.efi

9) expected result:

   MokManager (mmx64.efi) will be started

10) actual result:

    Verification failed: (15) Access Denied

    Failed to load image: Access Denied
    start_image() returned Access Denied
    start_image() returned Access Denied

    and we back to EFI shell.

    Thus it's not possible to install user keys or add user
    loader to trusted binary database.

------------------------------------------------------


The following upsteram patch will resolve a problem:

https://github.com/rhinstaller/shim/commit/9f2c83e60e0758c3db387eebaed3f306ad6214a8

PS: This bug affects ubuntu as well.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.UTF8, LC_CTYPE=ru_RU.UTF8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Mikhail Kshevetskiy <mikhail.kshevetskiy@gmail.com>
• Cc: 860716-done@bugs.debian.org
• Subject: Re: Bug#860716: shim fails to load MokManager (mmx64.efi) in the case of self-signed grub
• From: Steve McIntyre <steve@einval.com>
• Date: Tue, 23 Apr 2019 19:10:43 +0100
• Message-id: <20190423181043.GZ25446@tack.einval.com>
• In-reply-to: <[🔎] 20190423134802.6ddbea4a@laska.lan>
• References: <149259385486.31167.8416667501386541890.reportbug@laska.lan> <20190323180523.GA3575@tack.einval.com> <[🔎] 20190423134802.6ddbea4a@laska.lan>

On Tue, Apr 23, 2019 at 01:48:02PM +0300, Mikhail Kshevetskiy wrote:
>On Sat, 23 Mar 2019 18:05:23 +0000
>Steve McIntyre <steve@einval.com> wrote:
>
>> I'm hoping that our current set of packages will fix this bug, as
>> we've moved to a much newer upstream version of shim which includes
>> the commit you point at. Once we have our new shim signed with the
>> Microsoft CA, could you retry your test and confirm please?
>
>I just checked shim-signed=1.30+15+1533136590.3beb971-5 from unstable.
>The bug was fixed. Thanks a lot!

Yay!

Thanks for confirming. Closing this now.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
There's no sensation to compare with this
Suspended animation, A state of bliss

--- End Message ---