Bug#1033657: grub-efi-arm64-signed: Secure Boot not working on arm64

Emanuele Rocca ema at debian.org
Wed Mar 29 15:13:47 BST 2023 

Package: grub-efi-arm64-signed
Version: 2.06-8

Hi,

Secure Boot does not work on arm64 using the shim signed by Microsoft [0] and
grub2 signed by Debian [1] currently in sid.

(a) SB not working with Debian's shim, grub and kernel:

 $ sbverify --list /mnt/efi/boot/bootaa64.efi | grep subject
 warning: data remaining[839096 vs 979672]: gaps between PE/COFF sections?
  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 
 $ sbverify --list /mnt/efi/boot/grubaa64.efi | grep subject
  - subject: /CN=Debian Secure Boot Signer 2022 - grub2
 
 $ sbverify --list /mnt/vmlinuz-6.1.0-7-arm64 | grep subject
  - subject: /CN=Debian Secure Boot Signer 2022 - linux

With the efi variables from qemu-efi-aarch64's AAVMF_VARS.ms.fd plus
SHIM_VERBOSE enabled `mokutil --set-verbosity true`, and the firmware
file AAVM_CODE.fd from edk2 rebuilt in debug mode - see
https://bugs.debian.org/1033613

 $ qemu-system-aarch64 -machine virt -cpu cortex-a57 \
	-drive file=AAVMF_CODE.debug.fd,format=raw,if=pflash,readonly=true \
        -drive file=AAVMF_VARS.ms.verbose.fd \
        [...]

 grub> linux /vmlinuz-6.1.0-7-arm64
 [...]
 shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
 shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
 grub> boot
 [Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0).
 DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
 The image doesn't pass verification: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0)
 error: cannot load image.

However:

(b) SB works with Ubuntu's shim, grub and kernel [2]
(c) SB works using a self-signed shim, grub, and kernel from unstable

The Ubuntu output (b) is:

 grub> linux /vmlinuz-6.2.0-18-generic
 shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 2 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 3 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 4 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 5 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 6 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 7 (dbx)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
 shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
 grub> boot
 EFI stub: Booting Linux Kernel...
 EFI stub: EFI_RNG_PROTOCOL unavailable
 EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundary
 EFI stub: ERROR: FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region
 EFI stub: Generating empty DTB
 EFI stub: Exiting boot services...
 EFI stub: UEFI Secure Boot is enabled.

And the Debian self-signed output (c) is:

 grub> linux /vmlinuz-6.1.0-7-arm64.selfsigned
 [...]
 shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
 shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
 shim.c:665:verify_buffer_authenticode() Attempting to verify signature 1:
 shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
 shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
 grub> boot
 [Security] 3rd party image[0] can be loaded after EndOfDxe: MemoryMapped(0x2,0x6A040000,0x6C730E68).
 DxeImageVerificationLib: Image is signed but signature is not allowed by DB and SHA256 hash of image is not found in DB/DBX.
 DxeImageVerification: MeasureVariable (Pcr - 7, EventType - 800000E0, VariableName - db, VendorGuid - D719B2CB-3D3A-4596-A3BC-DAD00E67656F)
 MeasureBootPolicyVariable - Not Found
 None of Tcg2Protocol/CcMeasurementProtocol is installed.
 [...]
 EFI stub: Booting Linux Kernel...
 EFI stub: EFI_RNG_PROTOCOL unavailable
 EFI stub: UEFI Secure Boot is enabled.

As per the way forward: the diff between Debian's grub and Ubuntu's is
non-trivial, so comparing the two may not be the best course of action. I see
that there is an old patchset at https://bugs.debian.org/836140 which could be
forward-ported though.

In any case there are two difficulties when it comes to testing a new grub
version:

- Secure Boot just works when self-signing (c), and I'm not sure why that is
  the case. We need to be able to reproduce the issue (a) with a self-signed
  version of grub.
 
- There is no version of grubaa64.efi with debugging symbols enabled.
  grub-efi-amd64-dbg provides unstripped versions of all the individual grub
  modules, but there is no equivalent for the monolithic images.

--
[0] /usr/lib/shim/shimaa64.efi.signed from shim-signed 1.39

[1] /usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed from
    grub-efi-arm64-signed 2.06-8 

[2] shim-signed_1.54+15.7-0ubuntu1_arm64.deb
    grub-efi-arm64-signed_1.192+2.06-2ubuntu16_arm64.deb
    linux-image-6.2.0-18-generic_6.2.0-18.18_arm64.deb

More information about the Pkg-grub-devel mailing list