Comment 2 for bug 1862279

Revision history for this message
dann frazier (dannf) wrote :

I dug up my arm64/disco VM that I had hacked up to test this shim build before MS had signed it:

ubuntu@disco:~$ sudo mokutil --sb-state
SecureBoot enabled

So what's the relevant difference between this working config and the broken one?

Looks like I had set it up following:
  https://wiki.archlinux.org/index.php/Secure_Boot

That is, I had created and installed unique PK, KEK & db keys:
ubuntu@disco:~$ sudo mokutil --pk | grep Issuer
        Issuer: CN=my Platform Key
ubuntu@disco:~$ sudo mokutil --kek | grep Issuer
        Issuer: CN=my Key Exchange Key
ubuntu@disco:~$ sudo mokutil --db | grep Issuer
        Issuer: CN=my Signature Database key
ubuntu@disco:~$ sudo mokutil --dbx | grep Issuer
ubuntu@disco:~$

I had signed shim w/ my custom db key:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/shimaa64.efi
warning: data remaining[836920 vs 900344]: gaps between PE/COFF sections?
Signature verification OK

And apparently GRUB as well:
ubuntu@disco:~$ sudo sbverify --cert db.crt /boot/efi/EFI/ubuntu/grubaa64.efi
Signature verification OK

While the kernel is an unmodified signed Canonical image.

Some package versions:
ubuntu@disco:~$ dpkg -l | grep -e shim
ii shim 15+1552672080.a4a1fbe-0ubuntu1 arm64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.40~uefi1+dannf.1+15+1552672080.a4a1fbe-0ubuntu1 arm64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@disco:~$ dpkg -l | grep grub
ii grub-common 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader (common files)
ii grub-efi-arm64 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI version)
ii grub-efi-arm64-bin 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
ii grub-efi-arm64-signed 1.115+2.02+dfsg1-12ubuntu2 arm64 GRand Unified Bootloader, version 2 (EFI-ARM64 version, signed)
ii grub2-common 2.02+dfsg1-12ubuntu2.1 arm64 GRand Unified Bootloader (common files for version 2)
ubuntu@disco:~$ dpkg -l | grep linux-image
ii linux-image-5.0.0-36-generic 5.0.0-36.39 arm64 Signed kernel image generic
ii linux-image-5.0.0-37-generic 5.0.0-37.40 arm64 Signed kernel image generic
ii linux-image-virtual 5.0.0.37.39 arm64 Virtual Linux kernel image

And from the host:
ii qemu-efi-aarch64 0~20191122.bd85bf54-1 all UEFI firmware for 64-bit ARM virtual machines