Re: sbsign crashes while signing an (EFI) image using Yubikey

To: Dmitry <causal.consistency@proton.me>
Cc: "debian-efi@lists.debian.org" <debian-efi@lists.debian.org>, "ubuntu-devel-discuss@lists.ubuntu.com" <ubuntu-devel-discuss@lists.ubuntu.com>
Subject: Re: sbsign crashes while signing an (EFI) image using Yubikey
From: Steve McIntyre <steve@einval.com>
Date: Sat, 1 Jun 2024 21:41:39 +0100
Message-id: <[🔎] 20240601204139.GY11522@tack.einval.com>
In-reply-to: <[🔎] 1jJqEzwwMvrsUphZdVZqRMmPfySd1EUk5aaDiAZ9XT0cE1NaMMp8fTKCAOmp3x6Ztrre9jduzd8Yb7NKOhVwe5SLcZWsoR0jNyQMrHb0Hq8=@proton.me>
References: <[🔎] 1jJqEzwwMvrsUphZdVZqRMmPfySd1EUk5aaDiAZ9XT0cE1NaMMp8fTKCAOmp3x6Ztrre9jduzd8Yb7NKOhVwe5SLcZWsoR0jNyQMrHb0Hq8=@proton.me>

On Sat, Jun 01, 2024 at 03:14:39PM +0000, Dmitry wrote:
>Hi,
>
>It seems that there is a regression in sbsign. It crashes while signing an
>(EFI) image using Yubikey
>
>
>Reproduction:
>
>Try signing a file using sbsign where key is stored on a Yubikey, it will
>crash:
>
>```
>sbsign --engine pkcs11 --key 'pkcs11:manufacturer=piv_II;id=%02' --cert ./sb/
>db.crt --output ./sb/secboot-linux-latest.efi.signed ./sb/secboot-linux-latest.
>efi
>```
>
>gdb shows this backtrace:
>
>```
>Thread 1 "sbsign" received signal SIGSEGV, Segmentation fault.
>0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
>(gdb) bt
>#0 0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#1 0x00007ffff7faf962 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#2 0x00007ffff7fb5567 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#3 0x00007ffff7fb58b0 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#4 0x00007ffff7fb3731 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#5 0x00007ffff7fb37bb in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.
>so
>#6 0x00007ffff7d1eed6 in RSA_sign (type=<optimised out>, m=m@entry=
>0x7fffffffdb80 "\224t&n\257>Y$\377...", m_len=m_len@entry=32,
>    sigret=sigret@entry=0x5555555f89a0 "\330\322\n", siglen=siglen@entry=
>0x7fffffffdb14, rsa=rsa@entry=0x5555555f4270) at ../crypto/rsa/rsa_sign.c:309
>#7 0x00007ffff7d1d5a2 in pkey_rsa_sign (ctx=0x5555555eb5d0, sig=0x5555555f89a0
>"\330\322\n", siglen=0x7fffffffdc30,
>    tbs=0x7fffffffdb80 "\224t&n\257>Y$\377...", tbslen=32) at ../crypto/rsa/
>rsa_pmeth.c:180
>#8 0x00007ffff7c06817 in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555d8c50,
>sigret=0x5555555f89a0 "\330\322\n", siglen=siglen@entry=0x7fffffffdc30) at ../
>crypto/evp/m_sigver.c:560
>#9 0x00007ffff7cfdcbc in PKCS7_SIGNER_INFO_sign (si=si@entry=0x5555555a85f0) at
>../crypto/pkcs7/pk7_doit.c:952
>#10 0x00007ffff7cfdf9d in do_pkcs7_signed_attrib (mctx=<optimised out>, si=
>0x5555555a85f0) at ../crypto/pkcs7/pk7_doit.c:728
>#11 PKCS7_dataFinal (p7=p7@entry=0x5555555f3520, bio=bio@entry=0x5555555a8640)
>at ../crypto/pkcs7/pk7_doit.c:850
>#12 0x0000555555557c40 in IDC_set (image=<optimised out>, si=0x5555555a85f0, p7
>=0x5555555f3520) at /usr/src/sbsigntool-0.9.4-3.1ubuntu7/src/idc.c:216
>#13 main (argc=<optimised out>, argv=<optimised out>) at /usr/src/sbsigntool-
>0.9.4-3.1ubuntu7/src/sbsign.c:274
>(gdb)
>```
>
>It is likely that pkcs11.so is a "red herring" because I tried replacing the
>library with an older library from a docker image (`docker cp old_image /usr/
>lib/x86_64-linux-gnu/engines-3/pkcs11.so`) and it did NOT fix the issue.
>
>These are logs just before crash:
>
>```
>P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_
>token_removed: slot_token_removed(0x4)
>P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session.
>c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x4) 0
>P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_
>token_removed: slot_token_removed(0x5)
>P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session.
>c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x5) 0
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_
>token_removed: slot_token_removed(0x6)
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session.
>c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x6) 0
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_
>token_removed: slot_token_removed(0x7)
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session.
>c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x7) 0
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] ctx.c:1066:
>sc_release_context: called
>P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] reader-pcsc.c:
>978:pcsc_finish: called
>fish: Job 1, 'sbsign --engine pkcs11 --key 'p…' terminated by signal SIGSEGV
>(Address boundary error)
>```
>
>Logs were collected with `set -x OPENSC_DEBUG 9`, See more logs here: https://
>0bin.net/paste/4-TdVHy4#f8e68wCZrtty55tjhLKAFpA2YeSQ2jl9AopYJXf3J5-

Unfortunately, IME the standard failure mode of PKCS11 modules is to
crash hard if you do anything even slightly wrong. :-(

If you try testing without a PKCS11 module, I'm assuming all works fine?

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"This dress doesn't reverse." -- Alden Spiess

Reply to:

Follow-Ups:
- Re: sbsign crashes while signing an (EFI) image using Yubikey
  - From: Dmitry <causal.consistency@proton.me>

References:
- sbsign crashes while signing an (EFI) image using Yubikey
  - From: Dmitry <causal.consistency@proton.me>

Prev by Date: sbsign crashes while signing an (EFI) image using Yubikey
Next by Date: Re: sbsign crashes while signing an (EFI) image using Yubikey
Previous by thread: sbsign crashes while signing an (EFI) image using Yubikey
Next by thread: Re: sbsign crashes while signing an (EFI) image using Yubikey
Index(es):
- Date
- Thread