ephemeral key used to sign mokmanager should have better certificate attributes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
I try to boot mokmanager. It fails to boot, as it's not signed with canonical online key, chained to canonical CA, which shim tries to validate and fails. I see scary blue screen of death with validation errors.
# sbverify --list /boot/efi/
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=
image signature certificates:
- subject: /C=US/L=
issuer: /C=US/L=
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?
Maybe as separate shim-canonical & shim-canonical-
Related branches
- Julian Andres Klode (community): Disapprove
- git-ubuntu developers: Pending requested
-
Diff: 71 lines (+10/-13)1 file modifiedmake-certs (+10/-13)
information type: | Public → Public Security |
tags: | added: rls-gg-incoming |
summary: |
- fail to launch mokmanager + fail to launch mokmanager - mmx64.efi is not signed? |
information type: | Public Security → Public |
Changed in shim-signed (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Triaged |
summary: |
- mokmanager is signed using ephemeral key, instead of Vendor Key + ephemeral key used to sign mokmanager should have better certificate + attributes |
tags: |
added: rls-gg-notfixing removed: rls-gg-incoming |
mmx64.efi uses ephemeral key
which is a bit scary, as the cert is unknown and doesn't indicate at all that it is ephemeral.