886199 – mokutil calculates incorrect signature size

Bug 886199 - mokutil calculates incorrect signature size

Summary: mokutil calculates incorrect signature size

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shim
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Garrett
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedNTH RejectedBlocker
Depends On:
Blocks:	F18-accepted, F18FinalFreezeExcept 886212
TreeView+	depends on / blocked

Reported:	2012-12-11 18:48 UTC by Josh Boyer
Modified:	2012-12-20 13:03 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-20 12:40:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Boyer 2012-12-11 18:48:18 UTC

Description of problem:

When using mokutil to import a new certificate, it calculates the wrong size for the cert.  According to the UEFI spec, it should be:

"...16 (size of the SignatureOwner component) + the size of the certificate itself."

However, mokutil is calculating this as:

CertList->SignatureSize = sizes[i] + sizeof(EFI_SIGNATURE_DATA) + 
             16;

The sizeof(EFI_SIGNATURE_DATA) there is not necessary.  This happens to throw the kernel into a fit and it fails to parse certs stored in MokListRT.

Version-Release number of selected component (if applicable):

shim-unsigned-0.2-2.fc18.1.x86_64

How reproducible:

Always

Steps to Reproduce:
1. import a cert with mokutil
2. reboot and do the MokManager thing
3. watch the kernel hate the result.
  
Actual results:

cert imported with wrong size in the efi_signature_list structure.

Expected results:

Things work.

Additional info:

I've sent a patch to Peter and Matthew, and a pull request upstream for mokutil to fix this.

Comment 1 Josh Boyer 2012-12-11 18:50:01 UTC

Proposing as F18 Blocker.

Comment 2 Adam Williamson 2012-12-12 18:15:53 UTC

Discussed at 2012-12-12 blocker review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-12/f18final-blocker-review-4.2012-12-12-17.01.log.txt .  Rejected as a blocker on the understanding this only affects generation/installation of personal signatures, not use of the MS key. Accepted as NTH - pjones thinks it could go in as 0-day but isn't 100% sure and thinks it's safer to take it now, and the fix is isolated and only affects SB stuff, can't break anything else.

Comment 3 Fedora Update System 2012-12-13 23:23:33 UTC

shim-0.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/shim-0.2-3.fc18

Comment 4 Fedora Update System 2012-12-14 06:45:26 UTC

Package shim-0.2-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shim-0.2-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20316/shim-0.2-3.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-12-20 05:27:13 UTC

shim-0.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Kamil Páral 2012-12-20 12:33:44 UTC

Josh, can you confirm the issue is fixed with the new build?

Comment 7 Josh Boyer 2012-12-20 12:40:33 UTC

(In reply to comment #6)
> Josh, can you confirm the issue is fixed with the new build?

You mean like the big long comment and +1 karma I left in the update that is linked to in comment #4?

Sure.  It fixes the issue.

Comment 8 Kamil Páral 2012-12-20 13:03:01 UTC

Sorry, I overlooked that. Thanks.

Note You need to log in before you can comment on or make changes to this bug.