Bug 2103803

Summary: RedHat 9.0 ARM bootloader is not signed with Microsoft signature
Product: Red Hat Enterprise Linux 9 Reporter: Adam Ru <aru>
Component: shimAssignee: Bootloader engineering team <bootloader-eng-team>
Status: NEW --- QA Contact: Release Test Team <release-test-team>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 9.0CC: elpereir, jaredz, jbastian, ldu, ogutierr, pjanda, raravind, sbarcomb, xiliang, xuli, yacao, yuxisun
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2125069    
Bug Blocks:    
Attachments:
Description Flags
ubuntu 2204 arm boot loader none

Description Adam Ru 2022-07-05 01:11:46 UTC 
Description of problem:
RedHat 9.0 ARM boot loader is not signed with Microsoft signature
the x86_64 ISO is good signed with Microsoft signature

we want to ask is there any reason for this?
is there a plan to fix it? e.g RHEL9.1?

Version-Release number of selected component (if applicable):

9.0

How reproducible:

[root@pek2-gosv-16-dhcp39 ~]# uname -a
Linux pek2-gosv-16-dhcp39.eng.vmware.com 5.14.0-70.13.1.el9_0.aarch64 #1 SMP Thu Apr 14 12:36:51 EDT 2022 aarch64 aarch64 aarch64 GNU/Linux

[root@pek2-gosv-16-dhcp39 ~]# keyctl list %:.builtin_trusted_keys
3 keys in keyring:
447350985: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux kernel signing key: 76e54d490ad76bac12a481dd1c97a49f459edd0a
886021945: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
954122109: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a80

compare to the example output from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_monitoring_and_updating_the_kernel/index#signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel
there is no Microsoft keys list in the builtin_trusted_keys


[root@pek2-gosv-16-dhcp39 ~]# keyctl list %:.platform
5 keys in keyring:
696217033: ---lswrv     0     0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
361952854: ---lswrv     0     0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
482794800: ---lswrv     0     0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
967857386: ---lswrv     0     0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
1072875068: ---lswrv     0     0 asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7


Actual results:

the boot loader is only signed with Microsoft Keys
and the OS will not load by default with secure boot enabled

user need manually add RedHat key to UEFI dbx to get secure boot work.


Expected results:

expect the ARM boot loader also signed with Microsoft signature

so user can enable secure boot without additional steps.

Additional info:
Comment 1 Adam Ru 2022-07-05 01:19:30 UTC 
correction
the boot loader is only signed with Microsoft Keys
-> the boot loader is only signed with RedHat Keys
Comment 2 Petr Janda 2022-07-08 14:02:30 UTC 
Hello,

it is intentional. 

AFAIK Microsoft doesn't provide CA for aarch64 (they target x86 only), and there isn't any subject that does.
I'm not aware of any commercially available ARM hardware that ships Microsoft keys in hardware and supports Secure Boot.

For fixing it we need a certification authority, that makes agreement with HW vendors, sets signing and revocation process up etc.

Petr
Comment 3 Adam Ru 2022-07-13 01:44:01 UTC 
Created attachment 1896568 [details]
ubuntu 2204 arm boot loader
Comment 4 Adam Ru 2022-07-13 01:48:10 UTC 
Hi Petr

It's true Microsoft don't have a ARM version Windows Server and not have a certification program and not enforce ARM hardware vendor to ship with Microsoft keys.

However Microsoft is able to sign a aarch64 boot loader.

we observed ubuntu 2204 live CD (https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04-live-server-arm64.iso) is able to boot with Secure Boot. you can see the bootaa64.efi is signed by Microsoft.

-Adam
Comment 5 Robbie Harwood 2022-07-20 16:32:17 UTC 
Yeah, we've been reviewing aa64 shims that are signed.  What machine are you seeing functioning secureboot on, though?
Comment 7 Adam Ru 2022-07-20 23:13:29 UTC 
I didn't install RHEL9.0 ARM on a physical machine,I run RHEL9 as a Guest in VMware hypervisors.
There is Fusion for Apple Silicon TechPreview build you download and with Seucreboot enabled for Guest VM.
https://communities.vmware.com/t5/Fusion-for-Apple-Silicon-Tech/ct-p/3022