[Bug 1895817] [NEW] [FFe] Dual-signed shim
Dimitri John Ledkov
1895817 at bugs.launchpad.net
Wed Sep 16 10:11:40 UTC 2020
Public bug reported:
[FFe] Dual-signed shim
shim-signed package currently ships two files
/usr/lib/shim/shimx64.efi.signed
/usr/lib/shim/shimx64.efi.dualsigned
The two shims are the same, but have different signatures.
.signed is signed with MS UEFI CA 2011 only
.dualsigned is signed with Canonical CA & MS UEFI CA 2011.
$ sbverify --list /usr/lib/shim/shimx64.efi.signed
warning: data remaining[1177936 vs 1341560]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify --list /usr/lib/shim/shimx64.efi.dualsigned
warning: data remaining[1179856 vs 1343480]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
signature 2
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
In light of the current Boothole vulnerabilities, it is desirable to
support a more constrained boot chain. Specifically, UEFI 2011 signed
Canonical shim can be booted universally on most hardware but also means
other shims from other vendors can boot too. But if we provide a shim
signed by Canonical CA, one can remove MS UEFI 2011 key from db, add
Canonical CA, and thus only boot shims provided by canonical. In such
scenario machine will only be able to boot Windows and Ubuntu, and no
other Linux. Furthermore Windows production key can be removed from db
as well, if one wishes to disable booting Windows too.
Certain hardware manufacturers ship Canonical CA key in db already. Thus
out-of-the-box shipping dual-signed shim would improve security there,
by reducing attack-vectors / having more constrained TPM measurements.
I am requesting FFe to ship dualsigned shim as
/usr/lib/shim/shimx64.efi.signed and use it by default.
Regression potential is as follows:
- very old / initial implementations of Secureboot using very old UEFI
SB specs from 2008 do not support multiple signatures on .efi binary.
Thus this change, may result in certain older firmware unable to boot.
It is not clear with hardware doesn't support multiple signatures. And
whether or not the order of signatures helps at all (i.e. if MS
signature or Canonical one is first)
Mitigation strategy in case of regressions:
- revert back to single-signed shim
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Tags: block-proposed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1895817
Title:
[FFe] Dual-signed shim
Status in shim-signed package in Ubuntu:
New
Bug description:
[FFe] Dual-signed shim
shim-signed package currently ships two files
/usr/lib/shim/shimx64.efi.signed
/usr/lib/shim/shimx64.efi.dualsigned
The two shims are the same, but have different signatures.
.signed is signed with MS UEFI CA 2011 only
.dualsigned is signed with Canonical CA & MS UEFI CA 2011.
$ sbverify --list /usr/lib/shim/shimx64.efi.signed
warning: data remaining[1177936 vs 1341560]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify --list /usr/lib/shim/shimx64.efi.dualsigned
warning: data remaining[1179856 vs 1343480]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (2017)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
signature 2
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
In light of the current Boothole vulnerabilities, it is desirable to
support a more constrained boot chain. Specifically, UEFI 2011 signed
Canonical shim can be booted universally on most hardware but also
means other shims from other vendors can boot too. But if we provide a
shim signed by Canonical CA, one can remove MS UEFI 2011 key from db,
add Canonical CA, and thus only boot shims provided by canonical. In
such scenario machine will only be able to boot Windows and Ubuntu,
and no other Linux. Furthermore Windows production key can be removed
from db as well, if one wishes to disable booting Windows too.
Certain hardware manufacturers ship Canonical CA key in db already.
Thus out-of-the-box shipping dual-signed shim would improve security
there, by reducing attack-vectors / having more constrained TPM
measurements.
I am requesting FFe to ship dualsigned shim as
/usr/lib/shim/shimx64.efi.signed and use it by default.
Regression potential is as follows:
- very old / initial implementations of Secureboot using very old
UEFI SB specs from 2008 do not support multiple signatures on .efi
binary. Thus this change, may result in certain older firmware unable
to boot. It is not clear with hardware doesn't support multiple
signatures. And whether or not the order of signatures helps at all
(i.e. if MS signature or Canonical one is first)
Mitigation strategy in case of regressions:
- revert back to single-signed shim
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1895817/+subscriptions
More information about the foundations-bugs
mailing list