2103803 – RedHat 9.0 ARM bootloader is not signed with Microsoft signature

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2103803 - RedHat 9.0 ARM bootloader is not signed with Microsoft signature

Summary: RedHat 9.0 ARM bootloader is not signed with Microsoft signature

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	shim
Sub Component:
Version:	9.0
Hardware:	aarch64
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:	2125069
Blocks:
TreeView+	depends on / blocked

Reported:	2022-07-05 01:11 UTC by Adam Ru
Modified:	2023-09-16 14:03 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-09-16 14:03:09 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)
ubuntu 2204 arm boot loader (563.19 KB, image/png) 2022-07-13 01:44 UTC, Adam Ru	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-4326	0	None	Migrated	None	2023-09-16 14:03:02 UTC
Red Hat Issue Tracker	RHELPLAN-126950	0	None	None	None	2022-07-05 01:16:25 UTC

Description Adam Ru 2022-07-05 01:11:46 UTC

Description of problem:
RedHat 9.0 ARM boot loader is not signed with Microsoft signature
the x86_64 ISO is good signed with Microsoft signature

we want to ask is there any reason for this?
is there a plan to fix it? e.g RHEL9.1?

Version-Release number of selected component (if applicable):

9.0

How reproducible:

[root@pek2-gosv-16-dhcp39 ~]# uname -a
Linux pek2-gosv-16-dhcp39.eng.vmware.com 5.14.0-70.13.1.el9_0.aarch64 #1 SMP Thu Apr 14 12:36:51 EDT 2022 aarch64 aarch64 aarch64 GNU/Linux

[root@pek2-gosv-16-dhcp39 ~]# keyctl list %:.builtin_trusted_keys
3 keys in keyring:
447350985: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux kernel signing key: 76e54d490ad76bac12a481dd1c97a49f459edd0a
886021945: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux kpatch signing key: 4d38fd864ebe18c5f0b72e3852e2014c3a676fc8
954122109: ---lswrv     0     0 asymmetric: Red Hat Enterprise Linux Driver Update Program (key 3): bf57f3e87362bc7229d9f465321773dfd1f77a80

compare to the example output from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/managing_monitoring_and_updating_the_kernel/index#signing-kernel-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel
there is no Microsoft keys list in the builtin_trusted_keys


[root@pek2-gosv-16-dhcp39 ~]# keyctl list %:.platform
5 keys in keyring:
696217033: ---lswrv     0     0 asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
361952854: ---lswrv     0     0 asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
482794800: ---lswrv     0     0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
967857386: ---lswrv     0     0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
1072875068: ---lswrv     0     0 asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7


Actual results:

the boot loader is only signed with Microsoft Keys
and the OS will not load by default with secure boot enabled

user need manually add RedHat key to UEFI dbx to get secure boot work.


Expected results:

expect the ARM boot loader also signed with Microsoft signature

so user can enable secure boot without additional steps.

Additional info:

Comment 1 Adam Ru 2022-07-05 01:19:30 UTC

correction
the boot loader is only signed with Microsoft Keys
-> the boot loader is only signed with RedHat Keys

Comment 2 Petr Janda 2022-07-08 14:02:30 UTC

Hello,

it is intentional. 

AFAIK Microsoft doesn't provide CA for aarch64 (they target x86 only), and there isn't any subject that does.
I'm not aware of any commercially available ARM hardware that ships Microsoft keys in hardware and supports Secure Boot.

For fixing it we need a certification authority, that makes agreement with HW vendors, sets signing and revocation process up etc.

Petr

Comment 3 Adam Ru 2022-07-13 01:44:01 UTC

Created attachment 1896568 [details]
ubuntu 2204 arm boot loader

Comment 4 Adam Ru 2022-07-13 01:48:10 UTC

Hi Petr

It's true Microsoft don't have a ARM version Windows Server and not have a certification program and not enforce ARM hardware vendor to ship with Microsoft keys.

However Microsoft is able to sign a aarch64 boot loader.

we observed ubuntu 2204 live CD (https://cdimage.ubuntu.com/releases/22.04/release/ubuntu-22.04-live-server-arm64.iso) is able to boot with Secure Boot. you can see the bootaa64.efi is signed by Microsoft.

-Adam

Comment 5 Robbie Harwood 2022-07-20 16:32:17 UTC

Yeah, we've been reviewing aa64 shims that are signed.  What machine are you seeing functioning secureboot on, though?

Comment 7 Adam Ru 2022-07-20 23:13:29 UTC

I didn't install RHEL9.0 ARM on a physical machine,I run RHEL9 as a Guest in VMware hypervisors.
There is Fusion for Apple Silicon TechPreview build you download and with Seucreboot enabled for Guest VM.
https://communities.vmware.com/t5/Fusion-for-Apple-Silicon-Tech/ct-p/3022

Comment 15 Amy Crate 2023-08-29 21:23:33 UTC

Any updates on this? Are you planning to have the rhel arm shim signed?

Comment 16 RHEL Program Management 2023-09-16 13:24:25 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 17 RHEL Program Management 2023-09-16 14:03:09 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.

Note You need to log in before you can comment on or make changes to this bug.