From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1noN74-0008WJ-A5 for mharc-grub-devel@gnu.org; Tue, 10 May 2022 06:29:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41754) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1noN6z-0008Se-Nz for grub-devel@gnu.org; Tue, 10 May 2022 06:29:02 -0400 Received: from mail-ed1-x529.google.com ([2a00:1450:4864:20::529]:44021) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1noN6w-0003CU-Vb for grub-devel@gnu.org; Tue, 10 May 2022 06:29:00 -0400 Received: by mail-ed1-x529.google.com with SMTP id c12so11967351edv.10 for ; Tue, 10 May 2022 03:28:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=LxqPR193Q+sq05wxNCgL5Ubl6AilxF8NwRDx4Or0twg=; b=gyBeuten9Nn7lprJuD8ERsBXy5NEThjZd5+JicLDsXaemKp6ImhPqA6Rl4PTc2vKYL hbFA5I5mu9kHSIHpVuS0KKO7a5O+MesU/4/s/9FwLZMSl1PE3tNWWUosBRyfRGJOWdrU gzjhsKHIovzOqwNBjjYlDKcKE+dgfvDw61+5AkYKcXrvsU85ELAaw3IJz99G5Sbs2eXP HRfg4rVysqfexXs9/yParh9kiaahvNx+qoPelY54pDf7ea6bSV9GiVV4ufYZIyJrRkOs ZfiSDoP80GwHMzLdqacHhMelHNH2SlZkKqPnq4sm6rSH29QKLwin5DXlfSH9kWcljFVR ZCMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=LxqPR193Q+sq05wxNCgL5Ubl6AilxF8NwRDx4Or0twg=; b=irVYRVKrRJbxg3Y3LXSKhnDwwo1pKzM383bcVqSRZsvcXvNT0paMKZflAzPmNRUPwC PxsJ6SrK7Ki3Bs+BoP6einuuNGR4NjC54gbfm31Of9GilRMiS4XBRdt0oB44zeFuOkTY T9CNcD6XQ626EVe4Fx3S13h13+R5dS1YkbGviBMa+aGajWwTb2AMA43vp+xeArSevhL8 Al0Nf4p3HQ3rAm405E9UMursna7pNeQlgqpG0DyCTMuGk7rko8lrX4E1jbDMHUcj3anf HKOb5M1iPnQzIdxemV3HUZpikxG844kFxj6PMPLPAaPY2O0+Yyvj4jgIv07hPjG5N2sy 28/A== X-Gm-Message-State: AOAM5338Z425TfGr+EeooBtq5UXwi1ntnpgGN/D6/enlHCJxJ4wmgdEv RPW8+QOHe3ibCq4XzVqn2TXfKJL51ay866NcrKNIoIJDOYI= X-Google-Smtp-Source: ABdhPJy3pWZ13fgN5PQeFTJY13Xq0iLQM48F4ejwB2icsw5xMtK5mYWBzpIkI8DPc78aTIvJqg1FUAGebeURvbsPbn4= X-Received: by 2002:aa7:c58e:0:b0:425:b5e3:6c51 with SMTP id g14-20020aa7c58e000000b00425b5e36c51mr22752205edq.99.1652178536964; Tue, 10 May 2022 03:28:56 -0700 (PDT) MIME-Version: 1.0 From: =?UTF-8?Q?=C5=81ukasz_Pi=C4=85tkowski?= Date: Tue, 10 May 2022 12:28:44 +0200 Message-ID: Subject: Can't find a solution to a failed secure boot kernel loading To: grub-devel@gnu.org Content-Type: multipart/alternative; boundary="000000000000cd250505dea5cab5" Received-SPF: pass client-ip=2a00:1450:4864:20::529; envelope-from=piontec@gmail.com; helo=mail-ed1-x529.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 May 2022 10:29:02 -0000 --000000000000cd250505dea5cab5 Content-Type: text/plain; charset="UTF-8" Hi everyone - I'm new here! Sorry for going with my problem directly to the grub-devel maling list, but I'm pretty sure my problem is GRUB related. Still, I've spent some hours trying to find a solution on the Internet and I failed :( So, here it comes - if anyone has time to explain my problem to a layman, it would be awesome. Even better, if you can maybe answer here on stackoverflow, where it can be easier to find, I believe ( https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature ). I'm running ubuntu with Secure Boot on. Everything works fine when I use a kernel that comes packaged from cannonical. Still, I have issues running a self-signed kernel (this is actually an externally built kernel, that I have verified and want to use for my own machine). I'm pretty sure my signature with MOK key is OK (verification below), but still when I try to boot the kernel from grub, after selecting the correct entry, I get an error that reads "Loading ... error: bad shim signature." I'm wrapping my head around it and can't find a solution. Why, even though both kernels are signed with MOK keys, one of them works and the other doesn't? Here's info about kernel signatures: root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz Image was already signed; adding additional signature root@T495:~# sbverify --list /boot/vmlinuz signature 1 image signature issuers: - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot Signing/emailAddress= example@example.com image signature certificates: - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress= example@example.com issuer: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot Signing/emailAddress= example@example.com signature 2 image signature issuers: - /CN=ubuntu Secure Boot Module Signature key image signature certificates: - subject: /CN=ubuntu Secure Boot Module Signature key issuer: /CN=ubuntu Secure Boot Module Signature key And here about MOK keys: root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -fingerprint -noout SHA1 Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:F7 root@T495:~# mokutil --list-enrolled | grep "81:a2:93" SHA1 Fingerprint: 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7 If there are any docs that help understand that, I'm happy to be redirected there :) piontec --000000000000cd250505dea5cab5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi everyone - I'm new here!

Sorry for going wit= h my problem directly to the grub-devel maling list, but I'm pretty sur= e my problem is GRUB related. Still, I've spent some hours trying to fi= nd a solution on the Internet and I failed :( So, here it comes - if anyone= has time to explain my problem to a layman, it would be awesome. Even bett= er, if you can maybe answer here on stackoverflow, where it can be easier t= o find, I believe (htt= ps://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-w= ith-secure-boot-on-bad-shim-signature).

I'm running ubuntu w= ith Secure Boot on. Everything works fine when I use a kernel that comes pa= ckaged from cannonical. Still, I have issues running a self-signed kernel (= this is actually an externally built kernel, that I have verified and want = to use for my own machine). I'm pretty sure my signature with MOK key i= s OK (verification below), but still when I try to boot the kernel from gru= b, after selecting the correct entry, I get an error that reads "Loadi= ng ... error: bad shim signature." I'm wrapping my head around it = and can't find a solution. Why, even though both kernels are signed wit= h MOK keys, one of them works and the other doesn't?

Here's = info about kernel signatures:

root@T495:~# sbsign --key /var/lib/shi= m-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz=
Image was already signed; adding additional signature

root@T495:= ~# sbverify --list /boot/vmlinuz
signature 1
image signature issuers:=
=C2=A0- /C=3DPL/ST=3DPoznan/L=3DPoznan/O=3Dnone/CN=3DSecure Boot Signin= g/emailAddress=3Dexample@example.com=
image signature certificates:
=C2=A0- subject: /C=3DPL/ST=3Dyes/= L=3Dyes/O=3Dnone/CN=3DSecure Boot Signing/emailAddress=3Dexample@example.com
=C2=A0 =C2=A0issuer: =C2=A0= /C=3DPL/ST=3Dyes/L=3Dyes/O=3Dnone/CN=3DSecure Boot Signing/emailAddress=3D<= a href=3D"mailto:example@example.com">example@example.com
signature = 2
image signature issuers:
=C2=A0- /CN=3Dubuntu Secure Boot Module Si= gnature key
image signature certificates:
=C2=A0- subject: /CN=3Dubun= tu Secure Boot Module Signature key
=C2=A0 =C2=A0issuer: =C2=A0/CN=3Dubu= ntu Secure Boot Module Signature key


And here about MOK keys:
root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -finger= print -noout
SHA1 Fingerprint=3D81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:F= A:E2:2B:0C:95:3C:F7
root@T495:~# mokutil --list-enrolled | grep "81= :a2:93"
SHA1 Fingerprint: 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa= :e2:2b:0c:95:3c:f7

If there are any docs that help u= nderstand that, I'm happy to be redirected there :)

piontec
--000000000000cd250505dea5cab5--