Bug 2099380
| Summary: | Shim does not allow loading third-party .efi files since 15.4-1 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ValdikSS <iam> | ||||
| Component: | shim | Assignee: | Peter Jones <pjones> | ||||
| Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 35 | CC: | amessina, fmartine, mjg59, nerijus, pjones, rharwood | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2022-06-21 17:47:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
This happens because grubx64.efi does not contain .sbat section, while newer shim versions require it, even for mok-listed files
HOWEVER, the file won't boot even when added as a hash, while shim states for db that it should be working that way:
> If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced
So this is still a bug, I guess?
|
Created attachment 1891366 [details] File system with several shim versions and third-party grub Description of problem: Fedora's shim up to version 15-8 allowed to load any third-party .efi file as long as its hash or signing certificate has been enrolled into moklist with bundled mokmanager (mmx64.efi). Starting with shim-x64-15.4-1, shim no longer allows execution of third-party files with enrolled hashes or certificate, always showing security violation error regardless of moklist contents. Version-Release number of selected component (if applicable): shim-x64-15.4-1.x86_64, shim-x64-15.4-5.x86_64, shim-x64-15.6-1.x86_64 How reproducible: Every time. Steps to Reproduce: Download the attached archive, it contains several shim+mokmanager versions along with third-party grubx64.efi and corresponding ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate. 1. Run qemu as provided in run_qemu.txt file inside the archive 2. Do that for every shim file system directory Actual results: Only shim-x64-15-8.x86_64 directory successfully loads third-party grub ("grub-rescue" prompt), all others fail with security violation screen, regardless whether the hash or the certificate is enrolled to the moklist. Expected results: All shim versions load third-party enrolled file.