Bug 808594

Summary: bug in double signing shim
Product: [openSUSE] openSUSE 12.3 Reporter: Ludwig Nussel <lnussel>
Component: BootloaderAssignee: Gary Ching-Pang Lin <glin>
Status: RESOLVED FIXED QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P1 - Urgent CC: fcrozat, jcheung, jlee, mlin
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: plugfest2013spring
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: pesign patch to align signatures
backported upstream patch
Patch to fix the alignment of signatures (updated)

Description Ludwig Nussel 2013-03-11 08:44:50 UTC 
The EDK2 commit
https://github.com/tianocore/edk2/commit/6de4c35f99f05f1d956538852c1cf003883043fd
adds multiple signature support to the firmware. It however also rejects signatures that are incorrectly aligned. pesign generated such incorrectly aligned signatures. Therefore the our double signed shim on openSUSE 12.3 may be rejected by future firmwares.

We should fix pesign and issue an online update of shim which includes correctly aligned signatures.
Comment 1 Gary Ching-Pang Lin 2013-03-15 06:58:58 UTC 
Created attachment 529841 [details]
pesign patch to align signatures

This patch fixes this bug partially. It adjusts the signature size and related fields. I used pesign to signed a EFI image and it worked with the newer OVMF.

The problem is that the extra padding in the end of the file didn't exist when pesign-obs-integration extracted the signature attribute, and the digest changed after the padding was added, i.e. the sign server signed the wrong hash. I am thinking about how to add the padding properly.

BTW, intel seems to consider relaxing the check. It would be great if the alignment check were removed in the end.
Comment 6 Gary Ching-Pang Lin 2013-03-26 08:44:34 UTC 
Created attachment 531762 [details]
backported upstream patch

The previous patch has been merged into upstream. I also backported several patches to calculate the digest properly, and it just needs a slight change in pesign-obs-integration.
Comment 7 Gary Ching-Pang Lin 2013-03-27 09:10:38 UTC 
Created attachment 532050 [details]
Patch to fix the alignment of signatures (updated)

The upstream patch aligned the file to 16-byte and it may invalidate MS signature which is aligned to 8-byte.
Comment 8 Gary Ching-Pang Lin 2013-03-27 10:25:06 UTC 
Submitted the fix. pesign(161368), pesign-obs-integration(161369)
Shim has to be rebuilt though there is no patch for it...
Comment 9 Bernhard Wiedemann 2013-03-27 11:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (808594) was mentioned in
https://build.opensuse.org/request/show/161368 Maintenance / 
https://build.opensuse.org/request/show/161369 Maintenance /
Comment 10 Benjamin Brunner 2013-03-27 12:19:18 UTC 
Thanks for the submission. I'll add shim to the running update. Please keep in mind to submit the updated packages to the devel-project Base:System, too.
Comment 11 Ludwig Nussel 2013-03-27 12:53:08 UTC 
Rebuilding shim has no effect. The binary has to be submitted to the signing service again to get an updated signature. Do you expect any more fixes to shim/pesign in the near future?
Comment 12 Frederic Crozat 2013-03-27 13:02:43 UTC 
(In reply to comment #11)
> Rebuilding shim has no effect. The binary has to be submitted to the signing
> service again to get an updated signature. Do you expect any more fixes to
> shim/pesign in the near future?

By Signing Service, you mean MS or OBS ?
Comment 13 Ludwig Nussel 2013-03-27 13:09:05 UTC 
MS of course. OBS doesn't require interaction.
Comment 14 Frederic Crozat 2013-03-27 13:25:00 UTC 
(In reply to comment #13)
> MS of course. OBS doesn't require interaction.

I'm not sure we need to go through MS, since pesign is used after shim has been signed by MS, to add another signature (ok, I "unsign" shim-suse.efi before sending it to MS for signature.. ).
Comment 15 Ludwig Nussel 2013-03-27 13:32:44 UTC 
Ah, you are right. I looked at Factory where several fixes went in without updating the MS signature. Maybe we should request a new signature for that one and submit it as update to 12.3?
Comment 16 Benjamin Brunner 2013-03-27 14:11:31 UTC 
Gary, if you have additional fixes for shim, feel free to submit these too. I'll add it to the running update.
Comment 17 Bernhard Wiedemann 2013-03-28 04:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (808594) was mentioned in
https://build.opensuse.org/request/show/161511 Factory / pesign
https://build.opensuse.org/request/show/161512 Factory / pesign-obs-integration
Comment 19 Benjamin Brunner 2013-04-02 14:33:10 UTC 
Update released for openSUSE 12.3.
Comment 20 Swamp Workflow Management 2013-04-02 15:07:02 UTC 
openSUSE-RU-2013:0590-1: An update that has two recommended fixes can now be installed.

Category: recommended (low)
Bug References: 808594,811325
CVE References: 
Sources used:
openSUSE 12.3 (src):    pesign-0.99-3.10.2, pesign-obs-integration-9.0-0.1.18.1, shim-0.2-3.10.2
Comment 21 Gary Ching-Pang Lin 2013-04-03 01:32:12 UTC 
Let's close this bug :)
Comment 22 Gary Ching-Pang Lin 2013-04-03 04:02:35 UTC 
Oops, I also missed update-bootloader in shim %post in openSUSE 12.3. File a bug, bnc#813079, to track it.
Comment 23 Gary Ching-Pang Lin 2013-04-03 07:12:13 UTC 
Hmmm I found another problem with the sign key.
While shim was built in the maintenance project, it was signed with openSUSE:Maintenance project key instead of openSUSE-UEFI-Sign key.

If grub2 and the kernel updated also follow this settings, I am afraid that shim would refuse to boot grub2/kernel if those two packages were updated. Looks like we need extra config in the sign server to sign EFI images in openSUSE:Maintenance with openSUSE-UEFI-Sign key.
Comment 24 Jeffrey Cheung 2013-04-08 03:36:58 UTC 
Gary, so who can help you here ?
Comment 25 Gary Ching-Pang Lin 2013-04-08 04:51:06 UTC 
Ludwig already filed a new bug to track the issue. bnc#813110