Ubuntu
sbsigntool package

[SRU] enable signing riscv64 binaries in bionic

Bug #1964510 reported by Heinrich Schuchardt
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sbsigntool (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
High
Unassigned
Focal
Fix Released
High
Unassigned

Bug Description

[Impact]

The Ubuntu signing box is running Ubuntu Bionic. The riscv64 architecture is expanding. We expect development boards using EDK II to appear in 2022. We should be able to support secure boot then.

A patch for enabling this has been accepted upstream:

https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?h=next&id=25af2eb5e39b5d54703d4489182a6b9d0af58b76

[Test Plan]

* Signatures produced by sbsign in bionic, must be verifiable with sbverify from jammy.

* Test instructions:
  - create as new certificate RSA2048) for signing EFI binaries
    openssl req -x509 -sha256 -newkey rsa:2048 -subj /CN=TEST_$*/ \
    -keyout db.key -out db.crt -nodes -days 3650
  - sign amd64, arm64 and riscv64 EFI binaries with Bionic's sbsign
    sbsign --key db.key --cert db.crt test.efi
  - check the signature with Jammy's sbverify
  - check the signature with Bionics's sbverify

* Testing should be executed before landing the update.

[Where problems could occur]

* The upstream patch is trivial and should have no effect on any non-riscv64 architecture. It only changes the architecture test that is made before signing.

* With the test procedure above we ensure that we still can sign on the same architectures as before.

[Other Info]

* The Focal task is so that we don't loose functionality in case of an upgrade from Bionic to Focal.

See original description
Heinrich Schuchardt (xypron)
tags: added: fr-2104
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

To verify use:

sbverify --cert db.crt test.efi.signed

Changed in sbsigntool (Ubuntu):
status: New → Confirmed
Revision history for this message
Colin Watson (cjwatson) wrote :

https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1964519 has the corresponding debdiff for focal; I've consolidated these into a single bug with two open tasks. (https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1938438 added the support to impish.)

Changed in sbsigntool (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → High
Changed in sbsigntool (Ubuntu Focal):
status: New → Triaged
importance: Undecided → High
Changed in sbsigntool (Ubuntu):
status: Confirmed → Fix Released
description: updated
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Changed in sbsigntool (Ubuntu Bionic):
status: Triaged → Confirmed
Changed in sbsigntool (Ubuntu Focal):
status: Triaged → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote :

Please include in the test case a pointer to a specific riscv64 EFI binary that should be used for testing.

Changed in sbsigntool (Ubuntu Bionic):
status: Confirmed → Incomplete
Revision history for this message
Steve Langasek (vorlon) wrote :

Note that the version number in the focal diff is wrong; focal already has 0.9.2-2ubuntu1, so needs to have a version number that sorts later than this such as 0.9.2-2ubuntu1.1. https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Update_the_packaging provides recommendations for the version schema to use for SRUs.

Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Revision history for this message
Heinrich Schuchardt (xypron) wrote :
Revision history for this message
Heinrich Schuchardt (xypron) wrote :

I just added an arm64 and a riscv64 EFI binary for testing. These are just the helloworld.efi files produced by building U-Boot for qemu-riscv64_defconfig and qemu_arm64_defconfig.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Heinrich, or anyone else affected,

Accepted sbsigntool into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.9.2-2ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sbsigntool (Ubuntu Bionic):
status: Incomplete → In Progress
Changed in sbsigntool (Ubuntu Focal):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-focal
Changed in sbsigntool (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Heinrich, or anyone else affected,

Accepted sbsigntool into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sbsigntool/0.9.2-2ubuntu1~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

# dpkg-query -W sbsigntool
sbsigntool 0.9.2-2ubuntu1.1

# sbverify --cert ./db.crt test-arm64.efi.signed
warning: data remaining[5112 vs 6104]: gaps between PE/COFF sections?
Signature verification OK

# sbverify --cert ./db.crt test-riscv64.efi.signed
warning: data remaining[5112 vs 6128]: gaps between PE/COFF sections?
Signature verification OK

# faketime 'Thu May 5 13:35:03 CEST' sbsign --key db.key --cert db.crt ./test-arm64.efi
warning: data remaining[3584 vs 4576]: gaps between PE/COFF sections?
Signing Unsigned original image

# faketime 'Thu May 5 13:35:03 CEST' sbsign --key db.key --cert db.crt ./test-riscv64.efi
warning: data remaining[3584 vs 4600]: gaps between PE/COFF sections?
Signing Unsigned original image

Signing is successful and produces identical output, matching impish results.

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

root@ethical-catfish:~# dpkg-query -W sbsigntool
sbsigntool 0.9.2-2ubuntu1~18.04.2

root@ethical-catfish:~# sbverify --cert db.crt test-arm64.efi.signed
warning: data remaining[5112 vs 6104]: gaps between PE/COFF sections?
Signature verification OK

root@ethical-catfish:~# sbverify --cert db.crt test-riscv64.efi.signed
warning: data remaining[5112 vs 6128]: gaps between PE/COFF sections?
Signature verification OK

root@ethical-catfish:~# faketime 'Thu May 5 13:35:03 CEST' sbsign --key ./db.key --cert ./db.crt test-arm64.efi
warning: data remaining[3584 vs 4576]: gaps between PE/COFF sections?
Signing Unsigned original image

root@ethical-catfish:~# faketime 'Thu May 5 13:35:03 CEST' sbsign --key ./db.key --cert ./db.crt test-riscv64.efi
warning: data remaining[3584 vs 4600]: gaps between PE/COFF sections?
Signing Unsigned original image

The signatures produced are identical to those made with impish tooling.

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.9.2-2ubuntu1.1

---------------
sbsigntool (0.9.2-2ubuntu1.1) focal; urgency=medium

  * Enable signing riscv64 EFI binaries (LP: #1964510)

 -- Heinrich Schuchardt <email address hidden> Thu, 10 Mar 2022 20:41:04 +0100

Changed in sbsigntool (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for sbsigntool has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.9.2-2ubuntu1~18.04.2

---------------
sbsigntool (0.9.2-2ubuntu1~18.04.2) bionic; urgency=medium

  * Enable signing riscv64 EFI binaries (LP: #1964510)

 -- Heinrich Schuchardt <email address hidden> Thu, 10 Mar 2022 20:41:04 +0100

Changed in sbsigntool (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.