[opensuse-factory] Machine Owner Key and secure-boot
I recently installed Ubuntu 17.04. But I want to boot it with the opensuse grub2. This is on a UEFI machine. I am already setup to sign kernels. So the idea is for me to sign the Ubuntu kernel, so that the kernel signature will be okay with opensuse grub2-efi. Ubuntu comes with two kernels: vmlinuz-4.10.0-19-generic vmlinuz-4.10.0-19-generic.efi.signed The second of those is signed by Canonical. The first is unsigned. I chose to sign the second of those kernels. It was my understanding that having multiple signatures is allowed. But it would not boot. I got a message about invalid signature. So I instead signed the first of those kernels. And that is working fine. And if Ubuntu boot tries to check signatures, it should be okay because it sees my installed machine owner key. I'm not sure why Ubuntu provides a signed kernel, since Ubuntu boot normally doesn't check signatures anyway. They seem to just pretend to check (a bit like the Volkswagen pollution controls). My question: Is this a bug in the opensuse shim signature checking? Shouldn't it work with multiple signatures on kernels? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
17.04.2017 18:20, Neil Rickert пишет:
I recently installed Ubuntu 17.04. But I want to boot it with the opensuse grub2. This is on a UEFI machine.
I am already setup to sign kernels. So the idea is for me to sign the Ubuntu kernel, so that the kernel signature will be okay with opensuse grub2-efi.
Why not simply chainload Ubuntu shim?
Ubuntu comes with two kernels:
vmlinuz-4.10.0-19-generic vmlinuz-4.10.0-19-generic.efi.signed
The second of those is signed by Canonical. The first is unsigned.
I chose to sign the second of those kernels. It was my understanding that having multiple signatures is allowed. But it would not boot. I got a message about invalid signature.
There was a bug to that effect; not sure if it was about firmware that failed verification in case of multiple signatures or tools used to create them.
So I instead signed the first of those kernels. And that is working fine. And if Ubuntu boot tries to check signatures, it should be okay because it sees my installed machine owner key. I'm not sure why Ubuntu provides a signed kernel, since Ubuntu boot normally doesn't check signatures anyway. They seem to just pretend to check (a bit like the Volkswagen pollution controls).
Not sure what you mean here. Ubuntu is using the same shim; do you imply that Ubuntu shim fakes verification? That would be rather strong statement.
My question: Is this a bug in the opensuse shim signature checking? Shouldn't it work with multiple signatures on kernels?
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
Not sure what you mean here. Ubuntu is using the same shim;
Then they are using an older version of shim and/or an older version of grub2-efi. The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked. I've tested this by replacing their signed kernel with their unsigned kernel, and ubuntu still boots (using the ubuntu shim and secure-boot enabled).
do you imply that Ubuntu shim fakes verification?
No. Canonical fakes verification. They provide a signed kernel, where the signature is not actually verified. On the install screen, they do a song and dance about having to disable secure boot if using a proprietary video driver, which would only matter if kernel and driver signature are checked. But then they don't actually check signatures. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
17.04.2017 21:39, Neil Rickert пишет:
On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
Not sure what you mean here. Ubuntu is using the same shim;
Then they are using an older version of shim and/or an older version of grub2-efi.
The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked.
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1245154 suggests that "linux" loader should call "linuxefi".
I've tested this by replacing their signed kernel with their unsigned kernel, and ubuntu still boots (using the ubuntu shim and secure-boot enabled).
The patch that implements the above looks strange indeed. It does attempt to call linuxefi, but if it fails, it is silently ignored. And of course it fails if signature verification fails. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 04/17/2017 02:47 PM, Andrei Borzenkov wrote:
17.04.2017 21:39, Neil Rickert пишет:
On 04/17/2017 12:16 PM, Andrei Borzenkov wrote:
The "grub.cfg" that they use is loading the kernel with "linux" rather than with "linuxefi", so the signature is not checked.
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1245154 suggests that "linux" loader should call "linuxefi".
I considered that to be a possibility. That's why I tested with an unsigned kernel. And it still booted. But if I changed the "grub.cfg" to use "linuxefi" and "initrdefi", then it failed with an unsigned kernel, but worked with a signed kernel. This was all using the ubuntu NVRAM entry for booting.
The patch that implements the above looks strange indeed. It does attempt to call linuxefi, but if it fails, it is silently ignored. And of course it fails if signature verification fails.
Interesting. But that's from 2013. And they still don't have it working correctly. So I tested, again using the ubuntu NVRAM entry, and editing "grub.cfg" to use "linuxefi" and "initrdefi". And it boots ubuntu with their signed kernel. It boots KaOS with a kernel that I signed. But it also boots opensuse, with a kernel signed by opensuse. That one had me puzzled, but I think your comment explains that. I should add that "mokutil" as run from ubuntu shows two Canonical keys, and shows my own machine owner key. But it does not show any opensuse keys. So it should have failed the opensuse boot. But that still succeeded. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Andrei Borzenkov
-
Neil Rickert