| Summary: | sys-boot/shim-15.4_p5 version bump; current version is blacklisted by UEFI dbx | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | David Korth <gerbilsoft> |
| Component: | Current packages | Assignee: | Rick Farina (Zero_Chaos) <zerochaos> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | jstein, plevine457 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/ | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
David Korth
2021-05-07 19:08:07 UTC
In further testing, it seems that I forgot to re-enable Secure Boot when installing shim-15.4. After enabling Secure Boot, every EFI binary that I self-signed using a certificate enrolled using MokUtil failed to boot with error 0x1A: security violation. (e.g. grub, UEFI shell.) The only way to fix this was to clear the dbx variable and roll back to shim-15-5. Tested using sbsign from sbsigntool-0.9.2 (stable) and 0.9.4 (~amd64). No change between the two versions. When testing this, the dbx variable on my system was completely empty, so it's not caused by a blacklisted hash. Based on this, it's probably not safe to immediately add 15.4 to Gentoo unless we can figure out exactly why 15.4 isn't recognizing self-signed EFI binaries properly. Found the issue. As of shim-15.3, an "SBAT" section is needed in grub. grub-2.06_rc1 supports this using grub-mkimage's --sbat option. For my build, I'm using the following SBAT: sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,1,Free Software Foundation,grub,2.06-rc1,https://www.gnu.org/software/grub/ See https://github.com/rhboot/shim/blob/main/SBAT.md for more information. It seems that shim-15-5, aka sys-boot/shim-15.5, has no less than 7 associated CVEs, fixed in Fedora since 15.3-1. From the latest spec: * Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1 - Update to shim 15.3 - Support for revocations via the ".sbat" section and SBAT EFI variable - A new unit test framework and a bunch of unit tests - No external gnu-efi dependency - Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233 I think I'll see how feasible it would be to get a proper source-based ebuild following Fedora's spec file. > I think I'll see how feasible it would be to get a proper source-based
> ebuild following Fedora's spec file.
For a moment, I forgot the fedora build is presumably signed by Windows UEFI signing service. I suppose an unsigned shim ebuild wouldn't justify the effort.
shim-15.6 is in portage, so this can be closed. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4ab4aacf953585804ca6fb7e8a94cf74fc5cc1c9 commit 4ab4aacf953585804ca6fb7e8a94cf74fc5cc1c9 Author: Mathieu Strypsteen <mathieu@strypsteen.me> Date: Tue Jul 12 16:59:23 2022 +0000 sys-boot/shim: add 15.6 Signed-off-by: Mathieu Strypsteen <mathieu@strypsteen.me> Signed-off-by: Rick Farina <zerochaos@gentoo.org> |