Bugzilla – Bug 808594
bug in double signing shim
Last modified: 2013-04-08 04:51:06 UTC
The EDK2 commit https://github.com/tianocore/edk2/commit/6de4c35f99f05f1d956538852c1cf003883043fd adds multiple signature support to the firmware. It however also rejects signatures that are incorrectly aligned. pesign generated such incorrectly aligned signatures. Therefore the our double signed shim on openSUSE 12.3 may be rejected by future firmwares. We should fix pesign and issue an online update of shim which includes correctly aligned signatures.
Created attachment 529841 [details] pesign patch to align signatures This patch fixes this bug partially. It adjusts the signature size and related fields. I used pesign to signed a EFI image and it worked with the newer OVMF. The problem is that the extra padding in the end of the file didn't exist when pesign-obs-integration extracted the signature attribute, and the digest changed after the padding was added, i.e. the sign server signed the wrong hash. I am thinking about how to add the padding properly. BTW, intel seems to consider relaxing the check. It would be great if the alignment check were removed in the end.
Created attachment 531762 [details] backported upstream patch The previous patch has been merged into upstream. I also backported several patches to calculate the digest properly, and it just needs a slight change in pesign-obs-integration.
Created attachment 532050 [details] Patch to fix the alignment of signatures (updated) The upstream patch aligned the file to 16-byte and it may invalidate MS signature which is aligned to 8-byte.
Submitted the fix. pesign(161368), pesign-obs-integration(161369) Shim has to be rebuilt though there is no patch for it...
This is an autogenerated message for OBS integration: This bug (808594) was mentioned in https://build.opensuse.org/request/show/161368 Maintenance / https://build.opensuse.org/request/show/161369 Maintenance /
Thanks for the submission. I'll add shim to the running update. Please keep in mind to submit the updated packages to the devel-project Base:System, too.
Rebuilding shim has no effect. The binary has to be submitted to the signing service again to get an updated signature. Do you expect any more fixes to shim/pesign in the near future?
(In reply to comment #11) > Rebuilding shim has no effect. The binary has to be submitted to the signing > service again to get an updated signature. Do you expect any more fixes to > shim/pesign in the near future? By Signing Service, you mean MS or OBS ?
MS of course. OBS doesn't require interaction.
(In reply to comment #13) > MS of course. OBS doesn't require interaction. I'm not sure we need to go through MS, since pesign is used after shim has been signed by MS, to add another signature (ok, I "unsign" shim-suse.efi before sending it to MS for signature.. ).
Ah, you are right. I looked at Factory where several fixes went in without updating the MS signature. Maybe we should request a new signature for that one and submit it as update to 12.3?
Gary, if you have additional fixes for shim, feel free to submit these too. I'll add it to the running update.
This is an autogenerated message for OBS integration: This bug (808594) was mentioned in https://build.opensuse.org/request/show/161511 Factory / pesign https://build.opensuse.org/request/show/161512 Factory / pesign-obs-integration
Update released for openSUSE 12.3.
openSUSE-RU-2013:0590-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 808594,811325 CVE References: Sources used: openSUSE 12.3 (src): pesign-0.99-3.10.2, pesign-obs-integration-9.0-0.1.18.1, shim-0.2-3.10.2
Let's close this bug :)
Oops, I also missed update-bootloader in shim %post in openSUSE 12.3. File a bug, bnc#813079, to track it.
Hmmm I found another problem with the sign key. While shim was built in the maintenance project, it was signed with openSUSE:Maintenance project key instead of openSUSE-UEFI-Sign key. If grub2 and the kernel updated also follow this settings, I am afraid that shim would refuse to boot grub2/kernel if those two packages were updated. Looks like we need extra config in the sign server to sign EFI images in openSUSE:Maintenance with openSUSE-UEFI-Sign key.
Gary, so who can help you here ?
Ludwig already filed a new bug to track the issue. bnc#813110