Bug#906124: grub-efi: Secureboot GPG signature validation fails since 2.02+dfsg1-5 Package: grub-efi

Tue Aug 14 16:30:42 BST 2018

Package: grub-efi
Version: 2.02+dfsg1-5
Severity: grave Justification: renders package unusable

Dear Maintainer,

I use Debian Buster with secureboot turned on on my Dell XPS13. I replaced
all UEFI keys with my own RSA keys and created a standalone grub_efi using
the scripts at https://github.com/jdelic/secureboot/.

Since updating to 2.02+dfsg1-5, booting in secureboot mode fails with an
"invalid signature" error for vmlinuz-4.17.0-1-amd64. I turned on "crypt"
debug mode on the signed grub image and the last logged "alive" line is
verify.c:620. So Grub detects secureboot and starts verifying and then fails.

I use my public GPG key (0x7CDC4589) for signing. The detached signature is:
iQIzBAABCgAdFiEE5NQyBIYeHiZU1onRn+lmU4TReRgFAltyqNwACgkQn+lmU4TReRgnjRAA0dMV
eS7BSs61qtJKjJ+RlpXj9O73rMTBkkCArHfYD7/RX2G6f09We50ZT7CtTPtt+sSYutppOjIbRucd
paQSGox18JH1JMpjjiZYdzCXmJEpwuwuvYHyrYF1DVczB2rbk1AtpTq8fvir4W5fnj/CS20g35em
uCiUtnuyDotJ3/Z3tIKVlvfpiA8ndvUSl37SxX3K/pQ1EQocyGaKFsythFFhK838/Y97BSQyw8h4
h0MU1hBgmdANmy1UsaAlyfbozXnT2UDOlnyfIvR9f0K7ldTZqxGkhZhixFjRlV9LLNLbC7wIxY2a
MrJVmEO8r1JMwp4Tbysplv6zY3JYnKXP++b+WnQr4aRSdzzcn7KbU3uDT6EdtO9pUJ6/5agMScMi
NJWFNa4vQ0UAtc1Og/9ZSt+k8BhX7wXTYreuAOKDCBpd1FvgOMHdCuQscI2xSLtczV5b76TbjxoP
vk0SIzqO6Sko71MMHgJEodTY1oTEFbeyGJmPhyTMuv67R1aF5LRtHVK3Pdt7Hf9M71Mzl+YbGXjb
fXti1BYaLQstKvyaQYhKVIhn6I9ZAQGPuXpr0fp7NFngajDrinFtjJHJQ98E/PQCUTQRNy7MqPNu
MDf/WlNMpzrOzo2fpwWqfwtlXbVCZWcKJjmFg5MuEBpX6cO4n5OmOMZ9xf6877LQgfr3+yU=

You can verify the signature like this:
mkdir /tmp/sigtest
cd /tmp/sigtest
apt download linux-image-4.17.0-1-amd64
dpkg-deb -x \
    linux-image-4.17.0-1-amd64_4.17.8-1_amd64.deb \
    unpack
base64 -d > unpack/boot/vmlinuz-4.17.0-1-amd64.sig
# (copy paste the above signature)
gpg --recv-key 7CDC4589
gpg --verify unpack/boot/vmliuz-4.17.0-1-amd64.sig

You should then see output like this:
gpg: assuming signed data in 'unpack/boot/vmlinuz-4.17.0-1-amd64'
gpg: Signature made Tue 14 Aug 2018 12:03:08 PM CEST
gpg:                using RSA key E4D43204861E1E2654D689D19FE9665384D17918
gpg: Good signature from "Jonas Maurus <jonas at maurus.net>" [ultimate]
gpg:                 aka "Jonas Maurus <jonas-github at maurus.net>" [ultimate]
gpg:                 aka "Jonas Maurus <jonas-bitbucket at maurus.net>" [ultimate]

Please contact me if you need any more information.
Thank you,
Jonas Maurus

-- Package-specific info:

*********************** BEGIN /proc/mounts
/dev/mapper/vg0-root / ext4 rw,relatime,errors=remount-ro 0 0
/dev/nvme0n1p2 /boot ext2 rw,relatime,block_validity,barrier,user_xattr,acl 0 0
/dev/nvme0n1p1 /boot/efi vfat
rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro
0 0
/dev/mapper/vg0-home /home ext4 rw,relatime 0 0
*********************** END /proc/mounts

*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#

### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
  set have_grubenv=true
  load_env
fi
if [ "${next_entry}" ] ; then
   set default="${next_entry}"
   set next_entry=
   save_env next_entry
   set boot_once=true
else
   set default="0"
fi

if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
else
  menuentry_id_option=""
fi

export menuentry_id_option

if [ "${prev_saved_entry}" ]; then
  set saved_entry="${prev_saved_entry}"
  save_env saved_entry
  set prev_saved_entry=
  save_env prev_saved_entry
  set boot_once=true
fi

function savedefault {
  if [ -z "${boot_once}" ]; then
    saved_entry="${chosen}"
    save_env saved_entry
  fi
}
function load_video {
  if [ x$feature_all_video_module = xy ]; then
    insmod all_video
  else
    insmod efi_gop
    insmod efi_uga
    insmod ieee1275_fb
    insmod vbe
    insmod vga
    insmod video_bochs
    insmod video_cirrus
  fi
}

if [ x$feature_default_font_path = xy ] ; then
   font=unicode
else
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
  search --no-floppy --fs-uuid --set=root  41f85d8a-3669-417c-8a68-31b1edd73596
else
  search --no-floppy --fs-uuid --set=root 41f85d8a-3669-417c-8a68-31b1edd73596
fi
    font="/grub/unicode.pf2"
fi

if loadfont $font ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
  set locale_dir=$prefix/locale
  set lang=en_US
  insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
  set timeout=30
else
  if [ x$feature_timeout_style = xy ] ; then
    set timeout_style=hidden
    set timeout=0
  # Fallback hidden-timeout code in case the timeout_style feature is
  # unavailable.
  elif sleep --interruptible 0 ; then
    set timeout=0
  fi
fi
### END /etc/grub.d/00_header ###

### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###

### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
        set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --unrestricted --class debian --class
gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-simple-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' {
        load_video
        insmod gzio
        if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
        insmod part_gpt
        insmod ext2
        if [ x$feature_platform_search_hint = xy ]; then
          search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
        else
          search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
        fi
        echo    'Loading Linux 4.17.0-1-amd64 ...'
        linux   /vmlinuz-4.17.0-1-amd64 root=/dev/mapper/vg0-root ro
quiet splash
        echo    'Loading initial ramdisk ...'
        initrd  /initrd.img-4.17.0-1-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option
'gnulinux-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f' {
        menuentry 'Debian GNU/Linux, with Linux 4.17.0-1-amd64'
--unrestricted --class debian --class gnu-linux --class gnu --class os
$menuentry_id_option
'gnulinux-4.17.0-1-amd64-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f'
{
                load_video
                insmod gzio
                if [ x$grub_platform = xxen ]; then insmod xzio;
insmod lzopio; fi
                insmod part_gpt
                insmod ext2
                if [ x$feature_platform_search_hint = xy ]; then
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                else
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                fi
                echo    'Loading Linux 4.17.0-1-amd64 ...'
                linux   /vmlinuz-4.17.0-1-amd64
root=/dev/mapper/vg0-root ro  quiet splash
                echo    'Loading initial ramdisk ...'
                initrd  /initrd.img-4.17.0-1-amd64
        }
        menuentry 'Debian GNU/Linux, with Linux 4.17.0-1-amd64
(recovery mode)' --unrestricted --class debian --class gnu-linux
--class gnu --class os $menuentry_id_option
'gnulinux-4.17.0-1-amd64-recovery-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f'
{
                load_video
                insmod gzio
                if [ x$grub_platform = xxen ]; then insmod xzio;
insmod lzopio; fi
                insmod part_gpt
                insmod ext2
                if [ x$feature_platform_search_hint = xy ]; then
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                else
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                fi
                echo    'Loading Linux 4.17.0-1-amd64 ...'
                linux   /vmlinuz-4.17.0-1-amd64
root=/dev/mapper/vg0-root ro single
                echo    'Loading initial ramdisk ...'
                initrd  /initrd.img-4.17.0-1-amd64
        }
        menuentry 'Debian GNU/Linux, with Linux 4.16.0-2-amd64'
--unrestricted --class debian --class gnu-linux --class gnu --class os
$menuentry_id_option
'gnulinux-4.16.0-2-amd64-advanced-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f'
{
                load_video
                insmod gzio
                if [ x$grub_platform = xxen ]; then insmod xzio;
insmod lzopio; fi
                insmod part_gpt
                insmod ext2
                if [ x$feature_platform_search_hint = xy ]; then
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                else
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                fi
                echo    'Loading Linux 4.16.0-2-amd64 ...'
                linux   /vmlinuz-4.16.0-2-amd64
root=/dev/mapper/vg0-root ro  quiet splash
                echo    'Loading initial ramdisk ...'
                initrd  /initrd.img-4.16.0-2-amd64
        }
        menuentry 'Debian GNU/Linux, with Linux 4.16.0-2-amd64
(recovery mode)' --unrestricted --class debian --class gnu-linux
--class gnu --class os $menuentry_id_option
'gnulinux-4.16.0-2-amd64-recovery-35576bd3-f64f-4d3f-893b-1c9a1fd47d9f'
{
                load_video
                insmod gzio
                if [ x$grub_platform = xxen ]; then insmod xzio;
insmod lzopio; fi
                insmod part_gpt
                insmod ext2
                if [ x$feature_platform_search_hint = xy ]; then
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                else
                  search --no-floppy --fs-uuid --set=root
41f85d8a-3669-417c-8a68-31b1edd73596
                fi
                echo    'Loading Linux 4.16.0-2-amd64 ...'
                linux   /vmlinuz-4.16.0-2-amd64
root=/dev/mapper/vg0-root ro single
                echo    'Loading initial ramdisk ...'
                initrd  /initrd.img-4.16.0-2-amd64
        }
}

### END /etc/grub.d/10_linux ###

### BEGIN /etc/grub.d/20_linux_xen ###

### END /etc/grub.d/20_linux_xen ###

### BEGIN /etc/grub.d/30_os-prober ###
### END /etc/grub.d/30_os-prober ###

### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'System setup' $menuentry_id_option 'uefi-firmware' {
        fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###

### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###

### BEGIN /etc/grub.d/41_custom ###
if [ -f  ${config_directory}/custom.cfg ]; then
  source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
  source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg

*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat

*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-nvme0n1p3_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-home -> ../../dm-3
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-root -> ../../dm-1
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-swap -> ../../dm-2
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-win--jm -> ../../dm-5
lrwxrwxrwx 1 root root 10 Aug 14 12:05 dm-name-vg0-win--optile -> ../../dm-4
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-CRYPT-LUKS1-89c743c8ca7040fda48ce41308b474d7-nvme0n1p3_crypt
-> ../../dm-0
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhBuEzIQlv5Zv8cSMFqXD1aFGxEDz2Wh9c
-> ../../dm-3
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhWZnhVmY9LIcM750PWOBNxk8FMVu6fKNH
-> ../../dm-1
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhqfFDA4csHnpiq2g8sH4ByQNhb8dnfXmf
-> ../../dm-2
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhtPgY9LAgSGhLi3cUFnEPu2icbkrY68XO
-> ../../dm-5
lrwxrwxrwx 1 root root 10 Aug 14 12:05
dm-uuid-LVM-khfL0UKP45rIJh6iGPxlZVEbJKFKKwYhyfn4rn6VWrvE7CPYZm3MtqDr7KMocc5m
-> ../../dm-4
lrwxrwxrwx 1 root root 10 Aug 14 12:05
lvm-pv-uuid-X73TVb-tEQO-DDID-r3JJ-bZC0-50i5-UGucvI -> ../../dm-0
lrwxrwxrwx 1 root root 13 Aug 14 12:05
nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part1 ->
../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part2 ->
../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-KXG50ZNV512G_NVMe_TOSHIBA_512GB_979B504EK5LS-part3 ->
../../nvme0n1p3
lrwxrwxrwx 1 root root 13 Aug 14 12:05
nvme-eui.000000000000001000080d03001ee12c -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-eui.000000000000001000080d03001ee12c-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-eui.000000000000001000080d03001ee12c-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Aug 14 12:05
nvme-eui.000000000000001000080d03001ee12c-part3 -> ../../nvme0n1p3
*********************** END /dev/disk/by-id

*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 15 Aug 14 12:05 1CE4-948F -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 10 Aug 14 12:05
35576bd3-f64f-4d3f-893b-1c9a1fd47d9f -> ../../dm-1
lrwxrwxrwx 1 root root 15 Aug 14 12:05
41f85d8a-3669-417c-8a68-31b1edd73596 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 10 Aug 14 12:05
77d51849-4cf5-456a-a709-733c7e790942 -> ../../dm-3
lrwxrwxrwx 1 root root 15 Aug 14 12:05
89c743c8-ca70-40fd-a48c-e41308b474d7 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 10 Aug 14 12:05
d7740961-92f5-4a13-923c-19bb865e2595 -> ../../dm-2
*********************** END /dev/disk/by-uuid

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages grub-efi depends on:
ii  grub-common     2.02+dfsg1-5
ii  grub-efi-amd64  2.02+dfsg1-5

grub-efi recommends no packages.

grub-efi suggests no packages.

-- no debconf information