From 4761e4f3fa00e33dc3c74dbb76bf9d3f24aea502 Mon Sep 17 00:00:00 2001 From: Scott Little Date: Wed, 16 Oct 2019 15:18:19 -0400 Subject: [PATCH] Secure boot no longer working Secure Boot's hasn't been tested since July 2018 The principle players in the Secure Boot chain of trust are Shim, Grub, and the Linux kernel. All three components have seen multiple upgrades since the last test. A new build option has been added to shim, (ENABLE_SHIM_CERT) that enables/disables the support for an embedded shim key. It defaults to disabled. It also controls the generation of a random shim key, and the build time signing of fallback and MokManager components. Since we don't want a random shim key (reproducable builds), and we do signing as a post build step, leaving it disabled seemed like the correct setting initially... until it's function to disable shim keys entirely was discovered. This update reworks the shim patch so that we can embed a prebuilt shim key, and still have shim key functionality active. Closes-Bug: 1864245 Change-Id: Ibcb6bcfe3060ce0b3e2c2f3c23908bb7127b0ccd Signed-off-by: Scott Little --- .../0001-Use-Titanium-certificate.patch | 46 +++++++++++++++---- 1 file changed, 37 insertions(+), 9 deletions(-) diff --git a/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch b/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch index 5b2deec67..467ca95b4 100644 --- a/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch +++ b/security/shim-unsigned/centos/patches/0001-Use-Titanium-certificate.patch @@ -1,15 +1,16 @@ -From 057532ac6c77d20ae8d6ce0354e7ef67b1870eb6 Mon Sep 17 00:00:00 2001 +From 7fc985a350f9f7f5abbd19cef7a1947a3e33e5c8 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 15 Jan 2018 13:25:04 -0500 Subject: [PATCH] Use Titanium certificate +Signed-off-by: Scott Little --- Make.defaults | 6 ++++++ - Makefile | 20 ++++++++++++-------- - 2 files changed, 18 insertions(+), 8 deletions(-) + Makefile | 29 ++++++++++++++++------------- + 2 files changed, 22 insertions(+), 13 deletions(-) diff --git a/Make.defaults b/Make.defaults -index 3cec82d..d7606db 100644 +index e11ab5a..d16510c 100644 --- a/Make.defaults +++ b/Make.defaults @@ -51,6 +51,12 @@ CLANG_BUGS = $(if $(findstring gcc,$(CC)),-maccumulate-outgoing-args,) @@ -26,11 +27,14 @@ index 3cec82d..d7606db 100644 CFLAGS += -DOVERRIDE_SECURITY_POLICY endif diff --git a/Makefile b/Makefile -index 115e7f0..8964a97 100644 +index 115e7f0..f2b37fa 100644 --- a/Makefile +++ b/Makefile -@@ -34,7 +34,7 @@ else +@@ -32,9 +32,10 @@ TARGETS += $(MMNAME).signed $(FBNAME).signed + CFLAGS += -DENABLE_SHIM_CERT + else TARGETS += $(MMNAME) $(FBNAME) ++CFLAGS += -DENABLE_SHIM_CERT endif OBJS = shim.o mok.o netboot.o cert.o replacements.o tpm.o version.o errlog.o -KEYS = shim_cert.h ocsp.* ca.* shim.crt shim.csr shim.p12 shim.pem shim.key shim.cer @@ -38,7 +42,7 @@ index 115e7f0..8964a97 100644 ORIG_SOURCES = shim.c mok.c netboot.c replacements.c tpm.c errlog.c shim.h version.h $(wildcard include/*.h) MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h) -@@ -52,14 +52,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) +@@ -52,14 +53,18 @@ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source)) all: $(TARGETS) @@ -61,7 +65,7 @@ index 115e7f0..8964a97 100644 echo "static UINT8 shim_cert[] __attribute__((__unused__)) = {" > $@ $(HEXDUMP) -v -e '1/1 "0x%02x, "' $< >> $@ echo "};" >> $@ -@@ -70,10 +74,10 @@ version.c : $(TOPDIR)/version.c.in +@@ -70,15 +75,13 @@ version.c : $(TOPDIR)/version.c.in -e "s,@@COMMIT@@,$(COMMIT_ID)," \ < $< > $@ @@ -74,7 +78,31 @@ index 115e7f0..8964a97 100644 + $(CERTUTIL) -d certdb/ -A -i $(INTERNAL_CERT).crt -n shim -t u shim.o: $(SOURCES) - ifneq ($(origin ENABLE_SHIM_CERT),undefined) +-ifneq ($(origin ENABLE_SHIM_CERT),undefined) + shim.o: shim_cert.h +-endif + shim.o: $(wildcard $(TOPDIR)/*.h) + + cert.o : $(TOPDIR)/cert.S +@@ -213,8 +216,8 @@ endif + $^ $@ + + ifneq ($(origin ENABLE_SBSIGN),undefined) +-%.efi.signed: %.efi shim.key shim.crt +- $(SBSIGN) --key shim.key --cert shim.crt --output $@ $< ++%.efi.signed: %.efi $(INTERNAL_CERT).key $(INTERNAL_CERT).crt ++ $(SBSIGN) --key $(INTERNAL_CERT).key --cert $(INTERNAL_CERT).crt --output $@ $< + else + %.efi.signed: %.efi certdb/secmod.db + $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f +@@ -258,6 +261,6 @@ archive: tag + @rm -rf /tmp/shim-$(VERSION) + @echo "The archive is in shim-$(VERSION).tar.bz2" + +-.PHONY : install-deps shim.key ++.PHONY : install-deps $(INTERNAL_CERT).key + + export ARCH CC LD OBJCOPY EFI_INCLUDE -- 1.8.3.1