Re: Can't find a solution to a failed secure boot kernel loading

From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: Can't find a solution to a failed secure boot kernel loading
Date: Tue, 10 May 2022 08:57:30 -0400	[thread overview]
Message-ID: <e49f7eaf1732c3077cbcc36e20e6c7ec467d60d2.camel@HansenPartnership.com> (raw)
In-Reply-To: <CAC9BVySvh2OaR4EFMLRBJaJWWaaPCpPXTkefX2xeT8_X5P0uYA@mail.gmail.com>

On Tue, 2022-05-10 at 12:28 +0200, Łukasz Piątkowski wrote:
> Hi everyone - I'm new here!
> 
> Sorry for going with my problem directly to the grub-devel maling
> list, but I'm pretty sure my problem is GRUB related. Still, I've
> spent some hours trying to find a solution on the Internet and I
> failed :( So, here it comes
> - if anyone has time to explain my problem to a layman, it would be
> awesome. Even better, if you can maybe answer here on stackoverflow,
> where it can be easier to find, I believe (
> https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
> ).
> 
> I'm running ubuntu with Secure Boot on. Everything works fine when I
> use a kernel that comes packaged from cannonical. Still, I have
> issues running a self-signed kernel (this is actually an externally
> built kernel,

Please can you clarify what you're doing, because the sbverify you show
below isn't an externally built kernel, it must be an Ubuntu kernel to
have an ubuntu signature on it, or is that ubuntu certificate one you
created?

Is your problem that this kernel with the dual signature won't boot
even though the Ubuntu key should be in shim/mok, or that you have
another kernel you didn't attach the sbverify output for that won't
boot?

James

>  that I have verified and want to use for my own machine). I'm pretty
> sure my signature with MOK key is OK (verification below), but still
> when I try to boot the kernel from grub, after selecting the correct
> entry, I get an error that reads "Loading ... error: bad shim
> signature." I'm wrapping my head around it and can't find a solution.
> Why, even though both kernels are signed with MOK keys, one of them
> works and the other doesn't?
> 
> Here's info about kernel signatures:
> 
> root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert
> /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
> Image was already signed; adding additional signature
> 
> root@T495:~# sbverify --list /boot/vmlinuz
> signature 1
> image signature issuers:
>  - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
> image signature certificates:
>  - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
>    issuer:  /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
> signature 2
> image signature issuers:
>  - /CN=ubuntu Secure Boot Module Signature key
> image signature certificates:
>  - subject: /CN=ubuntu Secure Boot Module Signature key
>    issuer:  /CN=ubuntu Secure Boot Module Signature key
> 
> 
> And here about MOK keys:
> 
> root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem
> -fingerprint
> -noout
> SHA1
> Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:
> F7
> root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
> SHA1 Fingerprint:
> 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7
> 
> If there are any docs that help understand that, I'm happy to be
> redirected
> there :)