From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from list by lists.gnu.org with archive (Exim 4.90_1)
	id 1noPR2-0008FC-FY
	for mharc-grub-devel@gnu.org; Tue, 10 May 2022 08:57:52 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:47216)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <James.Bottomley@HansenPartnership.com>)
 id 1noPQt-0008Dl-02
 for grub-devel@gnu.org; Tue, 10 May 2022 08:57:44 -0400
Received: from bedivere.hansenpartnership.com ([2607:fcd0:100:8a00::2]:39760)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <James.Bottomley@HansenPartnership.com>)
 id 1noPQp-0005D8-GS
 for grub-devel@gnu.org; Tue, 10 May 2022 08:57:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=hansenpartnership.com; s=20151216; t=1652187452;
 bh=4WxC98Q/yM3YjeA1TrGGMz+CghuF/r0n+cXvWLkj2gc=;
 h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
 b=hwj/E4Ksbk5r8zrWFFEKvFrym75Stt1u56u2xuu7MeKQ3yQnRImybxBlhk7UM7pHT
 XK4sPmvPGQxYmYp8m3M1m8gbRFu20pSmOKbJGDFYNbBjbKaTMrTV4q39L4k4QzRgbd
 snyNs+ET4t+n47sswkhVItKgTxFFQTHiKhP3N44o=
Received: from localhost (localhost [127.0.0.1])
 by bedivere.hansenpartnership.com (Postfix) with ESMTP id 9F0DB1286C68
 for <grub-devel@gnu.org>; Tue, 10 May 2022 08:57:32 -0400 (EDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
 by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new,
 port 10024) with ESMTP id RA22vuzI9s_u for <grub-devel@gnu.org>;
 Tue, 10 May 2022 08:57:32 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=hansenpartnership.com; s=20151216; t=1652187452;
 bh=4WxC98Q/yM3YjeA1TrGGMz+CghuF/r0n+cXvWLkj2gc=;
 h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From;
 b=hwj/E4Ksbk5r8zrWFFEKvFrym75Stt1u56u2xuu7MeKQ3yQnRImybxBlhk7UM7pHT
 XK4sPmvPGQxYmYp8m3M1m8gbRFu20pSmOKbJGDFYNbBjbKaTMrTV4q39L4k4QzRgbd
 snyNs+ET4t+n47sswkhVItKgTxFFQTHiKhP3N44o=
Received: from [IPv6:2601:5c4:4300:c551:a71:90ff:fec2:f05b] (unknown
 [IPv6:2601:5c4:4300:c551:a71:90ff:fec2:f05b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest
 SHA256) (No client certificate requested)
 by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 418431286C07
 for <grub-devel@gnu.org>; Tue, 10 May 2022 08:57:32 -0400 (EDT)
Message-ID: <e49f7eaf1732c3077cbcc36e20e6c7ec467d60d2.camel@HansenPartnership.com>
Subject: Re: Can't find a solution to a failed secure boot kernel loading
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Date: Tue, 10 May 2022 08:57:30 -0400
In-Reply-To: <CAC9BVySvh2OaR4EFMLRBJaJWWaaPCpPXTkefX2xeT8_X5P0uYA@mail.gmail.com>
References: <CAC9BVySvh2OaR4EFMLRBJaJWWaaPCpPXTkefX2xeT8_X5P0uYA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.34.4 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:fcd0:100:8a00::2;
 envelope-from=James.Bottomley@HansenPartnership.com;
 helo=bedivere.hansenpartnership.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: grub-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: The development of GNU GRUB <grub-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/grub-devel>
List-Post: <mailto:grub-devel@gnu.org>
List-Help: <mailto:grub-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/grub-devel>,
 <mailto:grub-devel-request@gnu.org?subject=subscribe>
X-List-Received-Date: Tue, 10 May 2022 12:57:44 -0000

On Tue, 2022-05-10 at 12:28 +0200, Łukasz Piątkowski wrote:
> Hi everyone - I'm new here!
> 
> Sorry for going with my problem directly to the grub-devel maling
> list, but I'm pretty sure my problem is GRUB related. Still, I've
> spent some hours trying to find a solution on the Internet and I
> failed :( So, here it comes
> - if anyone has time to explain my problem to a layman, it would be
> awesome. Even better, if you can maybe answer here on stackoverflow,
> where it can be easier to find, I believe (
> https://unix.stackexchange.com/questions/701612/cant-load-self-signed-kernel-with-secure-boot-on-bad-shim-signature
> ).
> 
> I'm running ubuntu with Secure Boot on. Everything works fine when I
> use a kernel that comes packaged from cannonical. Still, I have
> issues running a self-signed kernel (this is actually an externally
> built kernel,

Please can you clarify what you're doing, because the sbverify you show
below isn't an externally built kernel, it must be an Ubuntu kernel to
have an ubuntu signature on it, or is that ubuntu certificate one you
created?

Is your problem that this kernel with the dual signature won't boot
even though the Ubuntu key should be in shim/mok, or that you have
another kernel you didn't attach the sbverify output for that won't
boot?

James

>  that I have verified and want to use for my own machine). I'm pretty
> sure my signature with MOK key is OK (verification below), but still
> when I try to boot the kernel from grub, after selecting the correct
> entry, I get an error that reads "Loading ... error: bad shim
> signature." I'm wrapping my head around it and can't find a solution.
> Why, even though both kernels are signed with MOK keys, one of them
> works and the other doesn't?
> 
> Here's info about kernel signatures:
> 
> root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert
> /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
> Image was already signed; adding additional signature
> 
> root@T495:~# sbverify --list /boot/vmlinuz
> signature 1
> image signature issuers:
>  - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
> image signature certificates:
>  - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
>    issuer:  /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot
> Signing/emailAddress=
> example@example.com
> signature 2
> image signature issuers:
>  - /CN=ubuntu Secure Boot Module Signature key
> image signature certificates:
>  - subject: /CN=ubuntu Secure Boot Module Signature key
>    issuer:  /CN=ubuntu Secure Boot Module Signature key
> 
> 
> And here about MOK keys:
> 
> root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem
> -fingerprint
> -noout
> SHA1
> Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:
> F7
> root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
> SHA1 Fingerprint:
> 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7
> 
> If there are any docs that help understand that, I'm happy to be
> redirected
> there :)