[Bug 808594] New: bug in double signing shim
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c0 Summary: bug in double signing shim Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader AssignedTo: glin@suse.com ReportedBy: lnussel@suse.com QAContact: jsrain@suse.com CC: mlin@suse.com Found By: --- Blocker: --- The EDK2 commit https://github.com/tianocore/edk2/commit/6de4c35f99f05f1d956538852c1cf003883... adds multiple signature support to the firmware. It however also rejects signatures that are incorrectly aligned. pesign generated such incorrectly aligned signatures. Therefore the our double signed shim on openSUSE 12.3 may be rejected by future firmwares. We should fix pesign and issue an online update of shim which includes correctly aligned signatures. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c1 --- Comment #1 from Gary Ching-Pang Lin <glin@suse.com> 2013-03-15 06:58:58 UTC --- Created an attachment (id=529841) --> (http://bugzilla.novell.com/attachment.cgi?id=529841) pesign patch to align signatures This patch fixes this bug partially. It adjusts the signature size and related fields. I used pesign to signed a EFI image and it worked with the newer OVMF. The problem is that the extra padding in the end of the file didn't exist when pesign-obs-integration extracted the signature attribute, and the digest changed after the padding was added, i.e. the sign server signed the wrong hash. I am thinking about how to add the padding properly. BTW, intel seems to consider relaxing the check. It would be great if the alignment check were removed in the end. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com Status Whiteboard| |plugfest2013spring -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c Jeffrey Cheung <jcheung@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P0 - Crit Sit |P1 - Urgent -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c6 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #529841|0 |1 is obsolete| | --- Comment #6 from Gary Ching-Pang Lin <glin@suse.com> 2013-03-26 08:44:34 UTC --- Created an attachment (id=531762) --> (http://bugzilla.novell.com/attachment.cgi?id=531762) backported upstream patch The previous patch has been merged into upstream. I also backported several patches to calculate the digest properly, and it just needs a slight change in pesign-obs-integration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c7 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #531762|0 |1 is obsolete| | --- Comment #7 from Gary Ching-Pang Lin <glin@suse.com> 2013-03-27 09:10:38 UTC --- Created an attachment (id=532050) --> (http://bugzilla.novell.com/attachment.cgi?id=532050) Patch to fix the alignment of signatures (updated) The upstream patch aligned the file to 16-byte and it may invalidate MS signature which is aligned to 8-byte. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c8 --- Comment #8 from Gary Ching-Pang Lin <glin@suse.com> 2013-03-27 10:25:06 UTC --- Submitted the fix. pesign(161368), pesign-obs-integration(161369) Shim has to be rebuilt though there is no patch for it... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c9 --- Comment #9 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-03-27 12:00:09 CET --- This is an autogenerated message for OBS integration: This bug (808594) was mentioned in https://build.opensuse.org/request/show/161368 Maintenance / https://build.opensuse.org/request/show/161369 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c10 --- Comment #10 from Benjamin Brunner <bbrunner@suse.com> 2013-03-27 13:19:18 CET --- Thanks for the submission. I'll add shim to the running update. Please keep in mind to submit the updated packages to the devel-project Base:System, too. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c11 --- Comment #11 from Ludwig Nussel <lnussel@suse.com> 2013-03-27 13:53:08 CET --- Rebuilding shim has no effect. The binary has to be submitted to the signing service again to get an updated signature. Do you expect any more fixes to shim/pesign in the near future? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c12 --- Comment #12 from Frederic Crozat <fcrozat@suse.com> 2013-03-27 13:02:43 UTC --- (In reply to comment #11)
Rebuilding shim has no effect. The binary has to be submitted to the signing service again to get an updated signature. Do you expect any more fixes to shim/pesign in the near future?
By Signing Service, you mean MS or OBS ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c13 --- Comment #13 from Ludwig Nussel <lnussel@suse.com> 2013-03-27 14:09:05 CET --- MS of course. OBS doesn't require interaction. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c14 --- Comment #14 from Frederic Crozat <fcrozat@suse.com> 2013-03-27 13:25:00 UTC --- (In reply to comment #13)
MS of course. OBS doesn't require interaction.
I'm not sure we need to go through MS, since pesign is used after shim has been signed by MS, to add another signature (ok, I "unsign" shim-suse.efi before sending it to MS for signature.. ). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c15 --- Comment #15 from Ludwig Nussel <lnussel@suse.com> 2013-03-27 14:32:44 CET --- Ah, you are right. I looked at Factory where several fixes went in without updating the MS signature. Maybe we should request a new signature for that one and submit it as update to 12.3? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c16 --- Comment #16 from Benjamin Brunner <bbrunner@suse.com> 2013-03-27 15:11:31 CET --- Gary, if you have additional fixes for shim, feel free to submit these too. I'll add it to the running update. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-03-28 05:00:08 CET --- This is an autogenerated message for OBS integration: This bug (808594) was mentioned in https://build.opensuse.org/request/show/161511 Factory / pesign https://build.opensuse.org/request/show/161512 Factory / pesign-obs-integration -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c19 --- Comment #19 from Benjamin Brunner <bbrunner@suse.com> 2013-04-02 16:33:10 CEST --- Update released for openSUSE 12.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c20 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> 2013-04-02 15:07:02 UTC --- openSUSE-RU-2013:0590-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 808594,811325 CVE References: Sources used: openSUSE 12.3 (src): pesign-0.99-3.10.2, pesign-obs-integration-9.0-0.1.18.1, shim-0.2-3.10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c21 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #21 from Gary Ching-Pang Lin <glin@suse.com> 2013-04-03 01:32:12 UTC --- Let's close this bug :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c22 --- Comment #22 from Gary Ching-Pang Lin <glin@suse.com> 2013-04-03 04:02:35 UTC --- Oops, I also missed update-bootloader in shim %post in openSUSE 12.3. File a bug, bnc#813079, to track it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c23 --- Comment #23 from Gary Ching-Pang Lin <glin@suse.com> 2013-04-03 07:12:13 UTC --- Hmmm I found another problem with the sign key. While shim was built in the maintenance project, it was signed with openSUSE:Maintenance project key instead of openSUSE-UEFI-Sign key. If grub2 and the kernel updated also follow this settings, I am afraid that shim would refuse to boot grub2/kernel if those two packages were updated. Looks like we need extra config in the sign server to sign EFI images in openSUSE:Maintenance with openSUSE-UEFI-Sign key. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c24 --- Comment #24 from Jeffrey Cheung <jcheung@suse.com> 2013-04-08 03:36:58 UTC --- Gary, so who can help you here ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=808594 https://bugzilla.novell.com/show_bug.cgi?id=808594#c25 --- Comment #25 from Gary Ching-Pang Lin <glin@suse.com> 2013-04-08 04:51:06 UTC --- Ludwig already filed a new bug to track the issue. bnc#813110 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com