2310759 – sbvarsign writes broken signatures when built with gnu-efi 3.0.16-3.0.18

Bug 2310759 - sbvarsign writes broken signatures when built with gnu-efi 3.0.16-3.0.18

Summary: sbvarsign writes broken signatures when built with gnu-efi 3.0.16-3.0.18

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sbsigntools
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Dominik 'Rathann' Mierzejewski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-09-08 21:14 UTC by Daan De Meyer
Modified:	2024-11-24 09:02 UTC (History)
CC List:	7 users (show)
Fixed In Version:	sbsigntools-0.9.5-7.fc42
Clone Of:
Environment:
Last Closed:	2024-11-24 09:02:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	ncroxon gnu-efi issues 52	0	None	closed	gnu-efi 3.0.16+ breaks sbsigntools (sbvarsign)	2024-11-24 08:54:21 UTC

Description Daan De Meyer 2024-09-08 21:14:47 UTC

mkosi uses sbvarsign to sign PK, KEK and db signature lists for use with systemd-boot secure boot auto-enrollment. sbsigntools, when built against gnu-efi 3.18.0 produces a signed PK signature list that results in a security violation when systemd-boot tries to enroll it within a UEFI OVMF virtual machine. If I install sbsigntools-0.9.5-1.fc38.x86_64.rpm from Fedora 38 the signed PK signature list is accepted again by the OVMF secure boot firmware.

If I build sbsigntools from Fedora Rawhide against gnu-efi 3.11.0, the PK signature list is also accepted as expected. This leads me to believe that gnu-efi 3.18.0 is what's causing this breakage.

Reproducible: Always

Steps to Reproduce:
On a Fedora 40 or rawhide system, run the following:
- git clone https://github.com/systemd/mkosi
- ln -s $PWD/mkosi/bin/mkosi /usr/local/bin/mkosi
- mkdir tmp
- cd tmp
- mkosi genkey
- mkosi -d fedora -r rawhide -p kernel-core -p systemd -p udev -p systemd-boot --secure-boot --secure-boot-auto-enroll=yes -i -f qemu

Actual Results:  
Enrolling secure boot keys from directory: \loader\keys\auto
Failed to write PK secure boot variable: Security violation


Expected Results:  
Enrolling secure boot keys from directory: \loader\keys\auto
Custom Secure Boot keys successfully enrolled, rebooting the system now!

Comment 1 Daan De Meyer 2024-09-09 06:45:17 UTC

Bisected to 189200d0b0f6fff473d302880d9569f45d4d8c4d. If I revert that on top of the gnu-efi master branch I can't reproduce the issue anymore.

Comment 2 Daan De Meyer 2024-09-09 07:01:05 UTC

The fix is to build sbsigntools with -fshort-wchar

Comment 3 Dominik 'Rathann' Mierzejewski 2024-11-17 22:27:54 UTC

That commit exists in gnu-efi-3.0.16, too.

Comment 4 Dominik 'Rathann' Mierzejewski 2024-11-18 09:54:00 UTC

I looked at the commit in gnu-efi and it looks correct. See also https://github.com/ncroxon/gnu-efi/commit/edfda7c396134c7109444b230ce4b0da1e61d524 .
It looks like uint16_t should be used instead of wchar_t and -fshort-wchar. So the bug might actually be in sbsigntools.

Comment 5 Dominik 'Rathann' Mierzejewski 2024-11-18 22:47:34 UTC

gnu-efi upstream also says the bug is in sbsigntools, so reassigning.

Comment 6 Dominik 'Rathann' Mierzejewski 2024-11-18 23:24:19 UTC

Daan, can you try this?
https://src.fedoraproject.org/rpms/sbsigntools/pull-request/2

Comment 7 Fedora Update System 2024-11-24 08:57:34 UTC

FEDORA-2024-caed0c598b (sbsigntools-0.9.5-7.fc42) has been submitted as an update to Fedora 42.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-caed0c598b

Comment 8 Fedora Update System 2024-11-24 09:02:44 UTC

FEDORA-2024-caed0c598b (sbsigntools-0.9.5-7.fc42) has been pushed to the Fedora 42 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.