[Bug 1692373] Re: shim fails to load MokManager (mmx64.efi) in the case of unsigned grub

Launchpad Bug Tracker 1692373 at bugs.launchpad.net
Sat Jul 15 14:52:45 UTC 2017 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: shim (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1692373

Title:
  shim fails to load MokManager (mmx64.efi) in the case of unsigned grub

Status in shim package in Ubuntu:
  Confirmed

Bug description:
  [see debian bug #860716 as well]

  I test shim-signed with qemu in secure boot environment. Here is the steps
  to reproduce a problem:

  1) install shim, shim-signed, qemu and ovmf packages

  2) get EnrollDefaultKeys.efi from
     https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Workstation/x86_64/os/Packages/e/edk2-ovmf-20170209git296153c5-3.fc27.noarch.rpm

  3) create a efi_test directory with shim binaries, grub and
  EnrollDefaultKeys.efi files

     mkdir efi_test
     cp /usr/lib/shim/{shimx64,mmx64,fbx64}.efi.signed efi_test/
     rename 's/[.]signed$//' efi_test/*

     cp /boot/efi/EFI/debian/grubx64.efi efi_test/    [this step is
  significant]

     cp EnrollDefaultKeys.efi efi_test/     [see step (2)]

  4) so we have in efi_test/

     LANG=C ls -la efi_test/

     drwxr-xr-x 2 kl kl    4096 Apr 19 12:10 .
     drwxr-xr-x 5 kl kl    4096 Apr 19 11:52 ..
     -rw-r--r-- 1 kl kl   20032 Apr 19 11:55 EnrollDefaultKeys.efi
     -rw-r--r-- 1 kl kl   72144 Apr 19 11:52 fbx64.efi
     -rwxr-xr-x 1 kl kl  121856 Apr 19 12:10 grubx64.efi
     -rw-r--r-- 1 kl kl 1168464 Apr 19 12:05 mmx64.efi
     -rw-r--r-- 1 kl kl 1169528 Apr 19 11:52 shimx64.efi

  5) run qemu with ovmf firmware

     qemu-system-x86_64 -m 1024 -enable-kvm -machine q35,smm=on,accel=kvm \
                        -bios /usr/share/ovmf/OVMF.fd \
                        -drive media=disk,file=fat:rw:efi_test

  6) import microsoft keys and enable secure boot (from EFI shell)

     Shell> fs0:
     FS0:\> EnrollDefaultKeys.efi
     info: SetupMode=1 SecureBoot=0 SecureBootEnabled=0 CustomMode=0 VendorKeys=1
     info: SetupMode=0 SecureBoot=1 SecureBootEnabled=1 CustomMode=0 VendorKeys=0
     info: success

  7) reboot virtual machine (from EFI shell)

     FS0:\> reset

  8) run shim (from EFI shell)

     Shell> fs0:
     FS0:\> shimx64.efi

  9) expected result:

     MokManager (mmx64.efi) will be started

  10) actual result:

      Verification failed: (15) Access Denied

      Failed to load image: Access Denied
      start_image() returned Access Denied
      start_image() returned Access Denied

      and we back to EFI shell.

      Thus it's not possible to install user keys or add user
      loader to trusted binary database.

  ------------------------------------------------------

  
  The following upsteram patch will resolve a problem:

  https://github.com/rhinstaller/shim/commit/9f2c83e60e0758c3db387eebaed3f306ad6214a8

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1692373/+subscriptions

More information about the foundations-bugs mailing list