Bug 2310759

Summary: sbvarsign writes broken signatures when built with gnu-efi 3.0.16-3.0.18
Product: [Fedora] Fedora Reporter: Daan De Meyer <daan.j.demeyer>
Component: sbsigntoolsAssignee: Dominik 'Rathann' Mierzejewski <dominik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: clumens, dominik, epel-packagers-sig, michel, nfrayer, pjones, rhughes
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: sbsigntools-0.9.5-7.fc42 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-11-24 09:02:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daan De Meyer 2024-09-08 21:14:47 UTC 
mkosi uses sbvarsign to sign PK, KEK and db signature lists for use with systemd-boot secure boot auto-enrollment. sbsigntools, when built against gnu-efi 3.18.0 produces a signed PK signature list that results in a security violation when systemd-boot tries to enroll it within a UEFI OVMF virtual machine. If I install sbsigntools-0.9.5-1.fc38.x86_64.rpm from Fedora 38 the signed PK signature list is accepted again by the OVMF secure boot firmware.

If I build sbsigntools from Fedora Rawhide against gnu-efi 3.11.0, the PK signature list is also accepted as expected. This leads me to believe that gnu-efi 3.18.0 is what's causing this breakage.

Reproducible: Always

Steps to Reproduce:
On a Fedora 40 or rawhide system, run the following:
- git clone https://github.com/systemd/mkosi
- ln -s $PWD/mkosi/bin/mkosi /usr/local/bin/mkosi
- mkdir tmp
- cd tmp
- mkosi genkey
- mkosi -d fedora -r rawhide -p kernel-core -p systemd -p udev -p systemd-boot --secure-boot --secure-boot-auto-enroll=yes -i -f qemu

Actual Results:  
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security violation


Expected Results:  
Enrolling secure boot keys from directory: \loader\keys\auto
Custom Secure Boot keys successfully enrolled, rebooting the system now!
Comment 1 Daan De Meyer 2024-09-09 06:45:17 UTC 
Bisected to 189200d0b0f6fff473d302880d9569f45d4d8c4d. If I revert that on top of the gnu-efi master branch I can't reproduce the issue anymore.
Comment 2 Daan De Meyer 2024-09-09 07:01:05 UTC 
The fix is to build sbsigntools with -fshort-wchar
Comment 3 Dominik 'Rathann' Mierzejewski 2024-11-17 22:27:54 UTC 
That commit exists in gnu-efi-3.0.16, too.
Comment 4 Dominik 'Rathann' Mierzejewski 2024-11-18 09:54:00 UTC 
I looked at the commit in gnu-efi and it looks correct. See also https://github.com/ncroxon/gnu-efi/commit/edfda7c396134c7109444b230ce4b0da1e61d524 .
It looks like uint16_t should be used instead of wchar_t and -fshort-wchar. So the bug might actually be in sbsigntools.
Comment 5 Dominik 'Rathann' Mierzejewski 2024-11-18 22:47:34 UTC 
gnu-efi upstream also says the bug is in sbsigntools, so reassigning.
Comment 6 Dominik 'Rathann' Mierzejewski 2024-11-18 23:24:19 UTC 
Daan, can you try this?
https://src.fedoraproject.org/rpms/sbsigntools/pull-request/2
Comment 7 Fedora Update System 2024-11-24 08:57:34 UTC 
FEDORA-2024-caed0c598b (sbsigntools-0.9.5-7.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-caed0c598b
Comment 8 Fedora Update System 2024-11-24 09:02:44 UTC 
FEDORA-2024-caed0c598b (sbsigntools-0.9.5-7.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.