Cannot boot EFI signed by snakeoil keys with OVMF_VARS_4M.snakeoil.fd

Bug #1986692 reported by Scott Moser
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
edk2 (Ubuntu)
Fix Released
Undecided
dann frazier
Jammy
Fix Released
Undecided
dann frazier

Bug Description

[Impact]
The "snakeoil" keys are not properly enrolled in the snakeoil images, making them useless for purpose. These are images preconfigured to trust an included (insecure) key/cert, which is useful for testing boot artifacts in a non-prod Secure Boot environment.

[Test Case]
A regression test has been added as an autopkgtest.

[What Could Go Wrong]
Some refactoring was required to generate these images correctly, and that could impact how keys are enrolled in other images. autopkgtests are in place to verify those - but if those tests were to miss something, we could potentially regress an existing VM boot configuration.

Revision history for this message
Scott Moser (smoser) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

I had made this gist https://gist.github.com/smoser/86781865f7191bbb790c74453967f28c to document what I was doing before I was certain this was a bug.

I am attaching a tarball of the gist here just for posterity.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the report, Scott.

I'm marking this bug as Triaged, but I haven't personally tried to reproduce it. I'm also subscribing Christian to it since he might be more in the loop when it comes to edk2.

Changed in edk2 (Ubuntu Jammy):
status: New → Triaged
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Ah, I see that Dann has already subscribed himself to the bug, which is good.

Revision history for this message
dann frazier (dannf) wrote :

Yeah, I can reproduce and am looking at it. Thanks Sergio.

Changed in edk2 (Ubuntu):
assignee: nobody → dann frazier (dannf)
status: New → In Progress
Scott Moser (smoser)
description: updated
Revision history for this message
dann frazier (dannf) wrote :

When I replaced ovmf-vars-generator with edk2-vars-generator.py, I missed that snakeoil keys need to be enrolled with `EnrollDefaultKeys.efi --no-default`. I wrote a test case for this and verified that the fix DTRT, but I need to spend some time to cleaning up the test case before uploading.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package edk2 - 2022.05-4

---------------
edk2 (2022.05-4) unstable; urgency=medium

  * autopkgtest: Fix regression in test_aavmf_ms_secure_boot_unsigned
    by porting it to the new GrubShellBootableIsoImage interface.

 -- dann frazier <email address hidden> Wed, 07 Sep 2022 07:23:15 -0600

Changed in edk2 (Ubuntu):
status: In Progress → Fix Released
dann frazier (dannf)
Changed in edk2 (Ubuntu Jammy):
status: Triaged → In Progress
assignee: nobody → dann frazier (dannf)
dann frazier (dannf)
description: updated
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Scott, or anyone else affected,

Accepted edk2 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in edk2 (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Scott Moser (smoser) wrote :
Download full text (4.5 KiB)

I've verified this using the gist at https://gist.github.com/smoser/86781865f7191bbb790c74453967f28c (which is also attached).

$ lxc launch ubuntu:jammy j1
$ lxc exec j1 /bin/bash

% echo deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted >
/etc/apt/sources.list.d/proposed.list
% apt-get update
% apt-get install --no-install-recommends --assume-yes \
     mtools dosfstools qemu-system-x86 qemu-utils

% git clone https://gist.github.com/86781865f7191bbb790c74453967f28c.git gist
% cd gist
% ./collect-ovmf ovmf-jammy-proposed
...
wrote PkKek-1-snakeoil.pem from /usr/share/ovmf/PkKek-1-snakeoil.pem
linked from signing.pem to PkKek-1-snakeoil.pem
wrote PkKek-1-snakeoil.key from /usr/share/ovmf/PkKek-1-snakeoil.key
linked from signing.key to PkKek-1-snakeoil.key
wrote signing.password from text
wrote OVMF_VARS_4M.fd from /usr/share/OVMF/OVMF_VARS_4M.fd
wrote OVMF_CODE_4M.secboot.fd from /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
wrote OVMF_VARS_4M.snakeoil.fd from /usr/share/OVMF/OVMF_VARS_4M.snakeoil.fd
linked from ovmf-insecure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-insecure-vars.fd to OVMF_VARS_4M.fd
linked from ovmf-secure-code.fd to OVMF_CODE_4M.secboot.fd
linked from ovmf-secure-vars.fd to OVMF_VARS_4M.snakeoil.fd

% cat ovmf-jammy-proposed/firmware-info.yaml
release: jammy
packages:
  ovmf: "2022.02-3ubuntu0.22.04.1"

% sbsign \
    --key=ovmf-jammy-proposed/signing-nopassphrase.key \
    --cert=ovmf-jammy-proposed/signing.pem \
    --output=esp-jammy-proposed/hello-signed.efi \
    HelloWorld.efi
warning: data remaining[45056 vs 54568]: gaps between PE/COFF sections?
Signing Unsigned original image

% sbverify --list esp-jammy-proposed/hello-signed.efi
warning: data remaining[46760 vs 56272]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil
image signature certificates:
 - subject: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil
   issuer: /C=US/ST=Colorado/L=Fort Collins/O=SnakeOil

% ./gen-esp create esp-jammy-proposed.img esp-jammy-proposed/hello-signed.efi:hello-signed.efi
creating image 128MB in esp-jammy-proposed.img
EFI/BOOT/HELLO-SIGNED.EFI -> EFI/BOOT/HELLO-SIGNED.EFI

## local change to disable kvm , as it wont work in container
% git diff
diff --git a/boot-vm b/boot-vm
index 96217d7..cac7f4d 100755
--- a/boot-vm
+++ b/boot-vm
@@ -75,7 +75,7 @@ main() {
     # -object rng-random,filename=/dev/urandom,id=rng0 \
     # -device virtio-rng-pci,rng=rng0 \
     set -- qemu-system-x86_64 \
- -M "q35,smm=on,accel=kvm" \
+ -M "q35,smm=on" \
         -m 1024 \
         -vga none -serial mon:stdio \
         -global "driver=cfi.pflash01,property=secure,value=on" \

% ./boot-vm ovmf-jammy-proposed esp-jammy-proposed.img
...
Shell> fs0:
FS0:\> cd efi\boot
FS0:\efi\boot\> HELLO-SIGNED.EFI

������������������������������������������������������������������������Ŀ
� HelloWorld �
� �
� This file is used to prove you have managed �
� To execute an unsigned binary in secure boot...

Read more...

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package edk2 - 2022.02-3ubuntu0.22.04.1

---------------
edk2 (2022.02-3ubuntu0.22.04.1) jammy; urgency=medium

  * Enroll snakeoil keys w/ EnrollDefaultKeys.efi --no-default, fixing
    a regression introduced with the transition to edk2-vars-generator.py.
    LP: #1986692.
  * autopkgtest: Add regression tests for snakeoil images.

 -- dann frazier <email address hidden> Mon, 12 Sep 2022 21:05:26 -0600

Changed in edk2 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for edk2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.