Bug 886199 - mokutil calculates incorrect signature size
Summary: mokutil calculates incorrect signature size
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: shim
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthew Garrett
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedNTH RejectedBlocker
Depends On:
Blocks: F18-accepted, F18FinalFreezeExcept 886212
TreeView+ depends on / blocked
 
Reported: 2012-12-11 18:48 UTC by Josh Boyer
Modified: 2012-12-20 13:03 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-20 12:40:33 UTC
Type: Bug


Attachments (Terms of Use)

Description Josh Boyer 2012-12-11 18:48:18 UTC
Description of problem:

When using mokutil to import a new certificate, it calculates the wrong size for the cert.  According to the UEFI spec, it should be:

"...16 (size of the SignatureOwner component) + the size of the certificate itself."

However, mokutil is calculating this as:

CertList->SignatureSize = sizes[i] + sizeof(EFI_SIGNATURE_DATA) + 
             16;

The sizeof(EFI_SIGNATURE_DATA) there is not necessary.  This happens to throw the kernel into a fit and it fails to parse certs stored in MokListRT.

Version-Release number of selected component (if applicable):

shim-unsigned-0.2-2.fc18.1.x86_64

How reproducible:

Always

Steps to Reproduce:
1. import a cert with mokutil
2. reboot and do the MokManager thing
3. watch the kernel hate the result.
  
Actual results:

cert imported with wrong size in the efi_signature_list structure.

Expected results:

Things work.

Additional info:

I've sent a patch to Peter and Matthew, and a pull request upstream for mokutil to fix this.

Comment 1 Josh Boyer 2012-12-11 18:50:01 UTC
Proposing as F18 Blocker.

Comment 2 Adam Williamson 2012-12-12 18:15:53 UTC
Discussed at 2012-12-12 blocker review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-12/f18final-blocker-review-4.2012-12-12-17.01.log.txt .  Rejected as a blocker on the understanding this only affects generation/installation of personal signatures, not use of the MS key. Accepted as NTH - pjones thinks it could go in as 0-day but isn't 100% sure and thinks it's safer to take it now, and the fix is isolated and only affects SB stuff, can't break anything else.

Comment 3 Fedora Update System 2012-12-13 23:23:33 UTC
shim-0.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/shim-0.2-3.fc18

Comment 4 Fedora Update System 2012-12-14 06:45:26 UTC
Package shim-0.2-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shim-0.2-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20316/shim-0.2-3.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-12-20 05:27:13 UTC
shim-0.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Kamil Páral 2012-12-20 12:33:44 UTC
Josh, can you confirm the issue is fixed with the new build?

Comment 7 Josh Boyer 2012-12-20 12:40:33 UTC
(In reply to comment #6)
> Josh, can you confirm the issue is fixed with the new build?

You mean like the big long comment and +1 karma I left in the update that is linked to in comment #4?

Sure.  It fixes the issue.

Comment 8 Kamil Páral 2012-12-20 13:03:01 UTC
Sorry, I overlooked that. Thanks.


Note You need to log in before you can comment on or make changes to this bug.