[Merge] ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

Steve Langasek steve.langasek at canonical.com
Fri Jan 11 19:52:51 UTC 2019 


Diff comments:

> diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
> index 1c486a1..163d822 100755
> --- a/debian/grub-check-signatures
> +++ b/debian/grub-check-signatures
> @@ -38,13 +39,48 @@ on_secure_boot() {
>  	return 0
>  }
>  
> +# Retrieve the keys we do trust from PK, DB, KEK, and MokList.
> +extract_known_keys() {
> +	# Make the Canonical CA cert available for validation too; in case
> +	# MokListRT is empty due to a bug.
> +	cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir
> +
> +	# Extract known UEFI certs from firmware variables
> +	( cd $tmpdir; \
> +		mokutil --export --pk; \
> +		mokutil --export --db; \
> +		mokutil --export --kek; \
> +		mokutil --export --mok >/dev/null 2>/dev/null; \
> +		for derfile in *.der; do \

FWIW it's more than unnecessary; if keys in PK and KEK are not trusted for binary signing, then there's a risk of false-negatives here and unbootable systems.  (It would only happen if someone had misimplemented SB on their system so the risk is small, but it is a risk.)

> +			openssl x509 -inform der -in $derfile -outform pem -out $derfile.crt; \
> +		done )
> +}
> +
>  # Check if a given kernel image is signed
>  is_signed() {
>  	tmp=$(mktemp)
> -	sbattach --detach $tmp $1 >/dev/null  	# that's ugly...
> +	sbattach --detach $tmp $1 >/dev/null >&2 	# that's ugly...
>  	test "$(wc -c < $tmp)" -ge 16	# Just _some_ minimum size
>  	result=$?
> +	if [ $result -eq 0 ]; then
> +		sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: )
> +	fi
>  	rm $tmp
> +	if [ $result -eq 0 ]; then
> +		for crtfile in $tmpdir/*.crt; do
> +			sbverify --cert $crtfile $1 >/dev/null 2>/dev/null
> +			result=$?
> +			if [ $result -eq 0 ]; then
> +				echo "$1 is signed by a known key:" >&2
> +				openssl x509 -in $crtfile -noout -text | grep Subject: >&2
> +				return $result;
> +			fi
> +		done
> +		echo "$1 is signed, but using an unknown key:" >&2
> +		echo "$sig_subject" >&2
> +	else
> +		echo "$1 is unsigned." >&2
> +	fi
>  	return $result
>  }
>  


-- 
https://code.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/+merge/361589
Your team Ubuntu Core Development Team is subscribed to branch ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu.

More information about the Ubuntu-reviews mailing list