UEFI Secure Boot - GRUB WIP report

Philipp Hahn hahn at univention.de
Wed Jun 20 13:12:39 BST 2018 

Hello Luca,

Am 19.06.2018 um 16:38 schrieb Luca Boccassi:
> On Tue, 2018-06-19 at 11:00 +0200, Philipp Hahn wrote:
>> Am 19.06.2018 um 10:25 schrieb Colin Watson:
>> The good news: It works: It loads the signed SHIM and GRUB.
>>
>> The bad news: GRUB still falls back to loading an unsigned Linux
>> kernel.
>> I suspect
>> <https://salsa.debian.org/pmhahn/grub/commit/448311e7374076fbd53e4c8b
>> 0f92accd04e07920>
>> @Luca: Any idea?
>
> Strange - I have tested running with that patch for a long time, and it
> does fail to load if the kernel is not signed with an expected key.
> Just tried again to confirm, and it's still the case, as far as I can
> see.
> 
> I really can't find my way around git-dpm though, I find it a bit
> confusing, being used to gbp - could there be an issue with the quilt
> patch?

I'm haven't yet used git-dpm, too.

> I have attached the debdiff of the grub build I use, here's the
> .debian.tar.xz:
> 
> https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/Debian9/grub2_2.02+dfsg1-5.1.debian.tar.xz
> 
> Any chance a fully built image could be uploaded $somewhere to test?
> Otherwise I'll try to build one with your script as soon as I have a
> moment.

I uploaded my files to
<http://updates.software-univention.de/download/secure-boot/>

> I use OBS to build&sign everything, if you want to check what I run
> here's a live-bootable ISO without a signed kernel that fails to boot
> and goes back to grub after printing "error: /live/$FOO has invalid
> signature.":


I manually edited the GRUB menu entry and tried all 4 cases
  linux{,efi} vmlinuz-4.16.0-2-amd64{,.efi.signed}

- 3 load but afterwards I don't get /sys/kernel/security/securelevel and
Linux Kernel prints:
>   EFI stub: UEFI Secure Boot is enabled.
>   secureboot: Secure boot could not be determined (mode 0)

- Only "linuxefi" on "unsigned vmlinuz" fails es expected


> https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/img_nokernel/iso/standard_20180619T1255-amd64-Build37.1.hybrid.iso
> 
> Here's one with a signed kernel that boots fine and shows "Kernel is
> locked down from EFI secure boot" in the kernel log:
> 
> https://download.opensuse.org/repositories/home:/bluca:/debian_secure_boot/img/iso/standard_20180611T1201-amd64-Build37.17.hybrid.iso
> 
> To get the certificate to load in qemu:
> 
> wget https://build.opensuse.org/projects/home:bluca:debian_secure_boot/ssl_certificate -O- | openssl x509 -inform pem -outform der -out obs.der

I'll take a look later - thanks for looking into it.
...

> Incidentally, any chance the couple of commits that you merged
> yesterday into your signing branch could be included as well? Would you
> like me to re-send the MRs to the new branch?

I already cherry-picked them into my new branch, but I forgot to push
them :-( I've done that now.

Philipp

More information about the Pkg-grub-devel mailing list