Ubuntu
grub2 package

Bug #1862279
Comment #2

Comment 2 for bug 1862279

Revision history for this message

dann frazier (dannf) wrote on 2020-02-25:

I dug up my arm64/disco VM that I had hacked up to test this shim build before MS had signed it:

ubuntu@disco:~$ sudo mokutil --sb-state
SecureBoot enabled

So what's the relevant difference between this working config and the broken one?

Looks like I had set it up following:
https://wiki.archlinux.org/index.php/Secure_Boot

That is, I had created and installed unique PK, KEK & db keys:
ubuntu@disco:~$ sudo mokutil --pk | grep Issuer
        Issuer: CN=my Platform Key
ubuntu@disco:~$ sudo mokutil --kek | grep Issuer
        Issuer: CN=my Key Exchange Key
ubuntu@disco:~$ sudo mokutil --db | grep Issuer
        Issuer: CN=my Signature Database key
ubuntu@disco:~$ sudo mokutil --dbx | grep Issuer
ubuntu@disco:~$

I had signed shim w/ my custom db key:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/shimaa64.efi
warning: data remaining[836920 vs 900344]: gaps between PE/COFF sections?
Signature verification OK

And apparently GRUB as well:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/grubaa64.efi
Signature verification OK

While the kernel is an unmodified signed Canonical image.

And from the host:
ii qemu-efi-aarch64 0~20191122.bd85bf54-1 all UEFI firmware for 64-bit ARM virtual machines

I dug up my arm64/disco VM that I had hacked up to test this shim build before MS had signed it:

ubuntu@disco:~$ sudo mokutil --sb-state
SecureBoot enabled

So what's the relevant difference between this working config and the broken one?

Looks like I had set it up following:
  https://wiki.archlinux.org/index.php/Secure_Boot

I had signed shim w/ my custom db key:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/shimaa64.efi 
warning: data remaining[836920 vs 900344]: gaps between PE/COFF sections?
Signature verification OK

And apparently GRUB as well:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/grubaa64.efi 
Signature verification OK

While the kernel is an unmodified signed Canonical image.

Some package versions:
ubuntu@disco:~$ dpkg -l | grep -e shim
ii  shim                             15+1552672080.a4a1fbe-0ubuntu1                    arm64        boot loader to chain-load signed boot loaders under Secure Boot
ii  shim-signed                      1.40~uefi1+dannf.1+15+1552672080.a4a1fbe-0ubuntu1 arm64        Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@disco:~$ dpkg -l | grep grub
ii  grub-common                      2.02+dfsg1-12ubuntu2.1                            arm64        GRand Unified Bootloader (common files)
ii  grub-efi-arm64                   2.02+dfsg1-12ubuntu2.1                            arm64        GRand Unified Bootloader, version 2 (ARM64 UEFI version)
ii  grub-efi-arm64-bin               2.02+dfsg1-12ubuntu2.1                            arm64        GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
ii  grub-efi-arm64-signed            1.115+2.02+dfsg1-12ubuntu2                        arm64        GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed)
ii  grub2-common                     2.02+dfsg1-12ubuntu2.1                            arm64        GRand Unified Bootloader (common files for version 2)
ubuntu@disco:~$ dpkg -l | grep linux-image
ii  linux-image-5.0.0-36-generic     5.0.0-36.39                                       arm64        Signed kernel image generic
ii  linux-image-5.0.0-37-generic     5.0.0-37.40                                       arm64        Signed kernel image generic
ii  linux-image-virtual              5.0.0.37.39                                       arm64        Virtual Linux kernel image

And from the host:
ii  qemu-efi-aarch64                             0~20191122.bd85bf54-1                   all          UEFI firmware for 64-bit ARM virtual machines

Ubuntugrub2 package

Comment 2 for bug 1862279

Ubuntu
grub2 package