[Bug 1880197] Re: mokmanager is signed using ephemeral key, instead of Vendor Key
Chris Coulson
1880197 at bugs.launchpad.net
Fri May 22 17:07:40 UTC 2020
This isn't really any different to how kernel module signing is handled
though - is there any real benefit to adding the extra step of signing
mmx64.efi (and fbx64.efi) with the vendor key, other than not having to
keep shimx64.efi, mmx64.efi and fbx64.efi in sync if you're testing a
local build?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197
Title:
mokmanager is signed using ephemeral key, instead of Vendor Key
Status in shim-signed package in Ubuntu:
New
Bug description:
I try to boot mokmanager. It fails to boot, as it's not signed with
canonical online key, chained to canonical CA, which shim tries to
validate and fails. I see scary blue screen of death with validation
errors.
# sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=SomeCity/O=SomeOrg
image signature certificates:
- subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
issuer: /C=US/L=SomeCity/O=SomeOrg
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?
Maybe as separate shim-canonical & shim-canonical-signed packages,
which chain off src:shim? (since we can't easily rebuild shim)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions
More information about the foundations-bugs
mailing list