[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on
Jacob
1939565 at bugs.launchpad.net
Sun Aug 29 07:55:17 UTC 2021
Hi Steve Langasek,
If an attacker is able to sign a custom kernel module & compromise a system via that means is there a reason to restrict the rather easy to use `update-secureboot-policy --new-key` method to only kernel modules? (Can we modify it to allow signing kernels in addition to kernel modules?)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
Status in OEM Priority Project:
Confirmed
Status in shim package in Ubuntu:
Incomplete
Bug description:
On Focal, create a mok and enroll it, use it to sign test kernel as
the secure boot is on.
# sh -x test.sh
+ sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
Signature verification OK
+ openssl x509 -in TestKer.pem -outform der -out TestKernel.der
+ mokutil --test-key TestKernel.der
TestKernel.der is already enrolled
As the secure boot is on, can't load above kernel.
The error message is:
/boot/vmlinuz-5.13.0-9010-oem has invalid signature.
Machine: Latitude 7520
bios: 1.6.0
shim-signed: 1.40.6+15.4-0ubuntu7
grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions
More information about the foundations-bugs
mailing list