Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2207710

Summary: Executing BOOTX64.EFI fails after printing "Verification failed: Security Policy Violation"
Product: Red Hat Enterprise Linux 7 Reporter: Renaud Métrich <rmetrich>
Component: shimAssignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED MIGRATED QA Contact: Release Test Team <release-test-team-automation>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.9CC: fj-lsoft-rh-dump, jaredz, mlewando, pjanda, prjagtap, qguo, sbarcomb, xuwei
Target Milestone: rcKeywords: EasyFix, MigratedToJIRA, Regression
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-16 20:07:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1788175    

Description Renaud Métrich 2023-05-16 15:22:26 UTC 
Description of problem:

Booting BOOTX64.EFI fails after it prints "Verification failed: Security Policy Violation".
Verbose mode shows this happens due to some "self signed certificate in certificate chain":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
shim.c:866:load_image() attempting to load \EFI\BOOT\fbx64.efi^M
shim.c:737:verify_buffer_sbat() sbat section base:0x7CCED418 size:0x200^M
pe.c:868:verify_sbat_section() SBAT section data^M
pe.c:876:verify_sbat_section() sbat, 1, SBAT Version, sbat, 1, https://github.com/rhboot/shim/blob/main/SBAT.md^M
pe.c:876:verify_sbat_section() shim, 2, UEFI shim, shim, 1, https://github.com/rhboot/shim^M
sbat.c:126:verify_single_entry() component sbat has a matching SBAT variable entry, verifying^M
sbat.c:191:verify_sbat_helper() finished verifying SBAT data: Success^M
pe.c:571:generate_hash() sha1 authenticode hash:^M
pe.c:572:generate_hash() 00000000  XX XX XX XX XX XX XX XX  XX XX XX XX 56 b0 81 0d  XXXXXXXXXXXX|V...|^M
pe.c:572:generate_hash() 00000004  3a 19 2f 84 29 f8 97 69  91 11 23 84 ed d6 8e a3  |:./.)..i..#.....|^M
pe.c:573:generate_hash() sha256 authenticode hash:^M
pe.c:574:generate_hash() 00000000  7a b6 3b 1a f6 ae a2 5c  99 6a 38 8e fa d8 aa fb  |z.;....\.j8.....|^M
pe.c:574:generate_hash() 00000010  3f 09 72 e8 90 17 97 7d  8e 72 7d 6b 94 ff 05 c6  |?.r....}.r}k....|^M
shim.c:611:verify_buffer_authenticode() check_allowlist: Not Found^M
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:^M 
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (vendor_db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)^M
shim.c:687:verify_buffer_authenticode() Binary is not authorized^M
shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
shim.c:610 verify_buffer_authenticode() check_allowlist(): Not Found^M^M
shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:370 check_allowlist() check_db_cert(db, sha256hash) != DATA_FOUND^M^M
shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:395 check_allowlist() check_db_cert(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:414 check_allowlist() check_db_cert(MokListRT, sha256hash) != DATA_FOUND^M^M
SSL Error: shim.c:691 verify_buffer_authenticode(): Security Policy Violation^M
2092850320:error:21075075:lib(33):func(117):reason(117):NA:0:Verify error:self signed certificate in certificate chain^M
Verification failed: Security Policy Violation^M
Failed to load image: Security Policy Violation^M
shim.c:1169 start_image() Failed to load image: Security Policy Violation^M^M
shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi^M
Failed to open \EFI\BOOT\mmx64.efi - Not Found^M
Failed to load image ??: Not Found^M
shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found^M^M
shim.c:1116 read_image() Failed to load image ??: Not Found^M^M
start_image() returned Not Found^M
BdsDxe: No bootable option or device was found.^M
BdsDxe: Press any key to enter the Boot Manager Menu.^M
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This prevents executing Recovery Code, causing system to be unbootable if firmware was cleared somehow (e.g. "efibootmgr -O" executed).

Additionally this prevents some VMWare systems to boot without user interaction (need to "OK" multiple times until "Red Hat Enterprise Linux gets selected):
issue still under investigation by VMWare, seems to affect "VMware ESXi, 7.0.3, 21313628".

Version-Release number of selected component (if applicable):

shim-x64-15.6-3.el7_9.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Boot a UEFI RHEL7 system in Secure Boot
2. Clear the EFI entries

   # efibootmgr -O

3. Reboot

Actual results:

Security Violation

Expected results:

No violation and "Red Hat Enterprise Linux" entry recreated
Comment 3 Renaud Métrich 2023-05-16 15:26:35 UTC 
Actually the fbx64.efi binary has been signed with wrong certificate:

[root@vm-uefi7 ~]# pesign -S -i /boot/efi/EFI/BOOT/fbx64.efi 
---------------------------------------------
certificate address is 0x7ff26281be10
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is Red Hat Test Certificate
No signer email address.
Signing time: Mon Apr 17, 2023
There were certs or crls included.
---------------------------------------------
Comment 11 Marta Lewandowska 2023-07-18 12:33:58 UTC 
*** Bug 2220848 has been marked as a duplicate of this bug. ***
Comment 12 RHEL Program Management 2023-09-16 19:04:40 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 13 RHEL Program Management 2023-09-16 20:07:08 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Comment 14 Red Hat Bugzilla 2024-01-15 04:25:08 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days