[Bug 1880197] Re: mokmanager is signed using ephemeral key, instead of Vendor Key

Steve Langasek 1880197 at bugs.launchpad.net
Fri May 22 17:55:24 UTC 2020 

On Fri, May 22, 2020 at 05:38:40PM -0000, Dimitri John Ledkov wrote:
> I guess my general level of paranoia w.r.t number of roots of trust, and
> ability to inspect them.

> Improved subject would help a lot.

> Can that shim cert sign online signing subkeys? Can the shim cert sign
> grub? Kernel? Kernel Modules? Are the questions I don't even want to
> think about.

$ openssl pkcs7 -noout -print_certs -text -inform DER -in /tmp/detach.der 
[...]
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign, Encipher Only, Decipher Only
            X509v3 Extended Key Usage: 
                Code Signing, Microsoft Trust List Signing
            X509v3 Basic Constraints: 
                CA:FALSE
[...]

It cannot sign subkeys.

If it signed any of grub, kernel, or kernel modules, it would be trusted.
However since it is an ephemeral key that's thrown away after the build,
this would not happen.  And it would be pointless to try to limit what could
be signed with this key, given that it is already used to sign EFI binaries,
which is the highest level of trust.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1880197

Title:
  ephemeral key used to sign mokmanager should have better certificate
  attributes

Status in shim-signed package in Ubuntu:
  Triaged

Bug description:
  I try to boot mokmanager. It fails to boot, as it's not signed with
  canonical online key, chained to canonical CA, which shim tries to
  validate and fails. I see scary blue screen of death with validation
  errors.

  # sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi 
  warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
  signature 1
  image signature issuers:
   - /C=US/L=SomeCity/O=SomeOrg
  image signature certificates:
   - subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
     issuer:  /C=US/L=SomeCity/O=SomeOrg

  
  shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key signing?

  Maybe as separate shim-canonical & shim-canonical-signed packages,
  which chain off src:shim? (since we can't easily rebuild shim)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions

More information about the foundations-bugs mailing list