Bug 2099380 - Shim does not allow loading third-party .efi files since 15.4-1
Summary: Shim does not allow loading third-party .efi files since 15.4-1
Alias: None
Product: Fedora
Classification: Fedora
Component: shim
Version: 35
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2022-06-20 19:13 UTC by ValdikSS
Modified: 2022-06-21 17:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-06-21 17:47:42 UTC
Type: Bug

Attachments (Terms of Use)
File system with several shim versions and third-party grub (1.15 MB, application/x-7z-compressed)
2022-06-20 19:13 UTC, ValdikSS
no flags Details

System ID Private Priority Status Summary Last Updated
Github rhboot shim issues 489 0 None open Moklist'ed hashes incorrectly follow strict sbat validation rules 2022-06-20 21:22:06 UTC

Description ValdikSS 2022-06-20 19:13:22 UTC
Created attachment 1891366 [details]
File system with several shim versions and third-party grub

Description of problem:

Fedora's shim up to version 15-8 allowed to load any third-party .efi file as long as its hash or signing certificate has been enrolled into moklist with bundled mokmanager (mmx64.efi).

Starting with shim-x64-15.4-1, shim no longer allows execution of third-party files with enrolled hashes or certificate, always showing security violation error regardless of moklist contents.

Version-Release number of selected component (if applicable):
shim-x64-15.4-1.x86_64, shim-x64-15.4-5.x86_64, shim-x64-15.6-1.x86_64

How reproducible:
Every time.

Steps to Reproduce:

Download the attached archive, it contains several shim+mokmanager versions along with third-party grubx64.efi and corresponding ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate.

1. Run qemu as provided in run_qemu.txt file inside the archive
2. Do that for every shim file system directory

Actual results:
Only shim-x64-15-8.x86_64 directory successfully loads third-party grub ("grub-rescue" prompt), all others fail with security violation screen, regardless whether the hash or the certificate is enrolled to the moklist.

Expected results:
All shim versions load third-party enrolled file.

Comment 1 ValdikSS 2022-06-20 21:01:52 UTC
This happens because grubx64.efi does not contain .sbat section, while newer shim versions require it, even for mok-listed files
HOWEVER, the file won't boot even when added as a hash, while shim states for db that it should be working that way:

> If a binary is enrolled in db by its hash rather than by certificate, the validation result is logged only, not enforced

So this is still a bug, I guess?

Note You need to log in before you can comment on or make changes to this bug.