Your message dated Thu, 20 Apr 2023 21:34:44 +0000
with message-id <[email protected]>
and subject line Bug#1033657: fixed in grub2 2.06-9
has caused the Debian Bug report #1033657,
regarding grub-efi-arm64-signed: Secure Boot not working on arm64
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033657: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033657
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: grub-efi-arm64-signed
Version: 2.06-8
Hi,
Secure Boot does not work on arm64 using the shim signed by Microsoft [0] and
grub2 signed by Debian [1] currently in sid.
(a) SB not working with Debian's shim, grub and kernel:
$ sbverify --list /mnt/efi/boot/bootaa64.efi | grep subject
warning: data remaining[839096 vs 979672]: gaps between PE/COFF sections?
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Windows UEFI Driver Publisher
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Corporation UEFI CA 2011
$ sbverify --list /mnt/efi/boot/grubaa64.efi | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - grub2
$ sbverify --list /mnt/vmlinuz-6.1.0-7-arm64 | grep subject
- subject: /CN=Debian Secure Boot Signer 2022 - linux
With the efi variables from qemu-efi-aarch64's AAVMF_VARS.ms.fd plus
SHIM_VERBOSE enabled `mokutil --set-verbosity true`, and the firmware
file AAVM_CODE.fd from edk2 rebuilt in debug mode - see
https://bugs.debian.org/1033613
$ qemu-system-aarch64 -machine virt -cpu cortex-a57 \
-drive file=AAVMF_CODE.debug.fd,format=raw,if=pflash,readonly=true \
-drive file=AAVMF_VARS.ms.verbose.fd \
[...]
grub> linux /vmlinuz-6.1.0-7-arm64
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe:
MemoryMapped(0x2,0x6A03D000,0x6C72D7C0).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB
and SHA256 hash of image is not found in DB/DBX.
The image doesn't pass verification: MemoryMapped(0x2,0x6A03D000,0x6C72D7C0)
error: cannot load image.
However:
(b) SB works with Ubuntu's shim, grub and kernel [2]
(c) SB works using a self-signed shim, grub, and kernel from unstable
The Ubuntu output (b) is:
grub> linux /vmlinuz-6.2.0-18-generic
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 2 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 3 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 4 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 5 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 6 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 7 (dbx)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: ERROR: FIRMWARE BUG: kernel image not aligned on 64k boundary
EFI stub: ERROR: FIRMWARE BUG: Image BSS overlaps adjacent EFI memory region
EFI stub: Generating empty DTB
EFI stub: Exiting boot services...
EFI stub: UEFI Secure Boot is enabled.
And the Debian self-signed output (c) is:
grub> linux /vmlinuz-6.1.0-7-arm64.selfsigned
[...]
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 1:
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)
shim.c:164:check_db_cert_in_ram() AuthenticodeVerify() succeeded: 1
grub> boot
[Security] 3rd party image[0] can be loaded after EndOfDxe:
MemoryMapped(0x2,0x6A040000,0x6C730E68).
DxeImageVerificationLib: Image is signed but signature is not allowed by DB
and SHA256 hash of image is not found in DB/DBX.
DxeImageVerification: MeasureVariable (Pcr - 7, EventType - 800000E0,
VariableName - db, VendorGuid - D719B2CB-3D3A-4596-A3BC-DAD00E67656F)
MeasureBootPolicyVariable - Not Found
None of Tcg2Protocol/CcMeasurementProtocol is installed.
[...]
EFI stub: Booting Linux Kernel...
EFI stub: EFI_RNG_PROTOCOL unavailable
EFI stub: UEFI Secure Boot is enabled.
As per the way forward: the diff between Debian's grub and Ubuntu's is
non-trivial, so comparing the two may not be the best course of action. I see
that there is an old patchset at https://bugs.debian.org/836140 which could be
forward-ported though.
In any case there are two difficulties when it comes to testing a new grub
version:
- Secure Boot just works when self-signing (c), and I'm not sure why that is
the case. We need to be able to reproduce the issue (a) with a self-signed
version of grub.
- There is no version of grubaa64.efi with debugging symbols enabled.
grub-efi-amd64-dbg provides unstripped versions of all the individual grub
modules, but there is no equivalent for the monolithic images.
--
[0] /usr/lib/shim/shimaa64.efi.signed from shim-signed 1.39
[1] /usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed from
grub-efi-arm64-signed 2.06-8
[2] shim-signed_1.54+15.7-0ubuntu1_arm64.deb
grub-efi-arm64-signed_1.192+2.06-2ubuntu16_arm64.deb
linux-image-6.2.0-18-generic_6.2.0-18.18_arm64.deb
--- End Message ---
--- Begin Message ---
Source: grub2
Source-Version: 2.06-9
Done: Steve McIntyre <[email protected]>
We believe that the bug you reported is fixed in the latest version of
grub2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve McIntyre <[email protected]> (supplier of updated grub2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 20 Apr 2023 20:35:11 +0100
Source: grub2
Architecture: source
Version: 2.06-9
Distribution: unstable
Urgency: medium
Maintainer: GRUB Maintainers <[email protected]>
Changed-By: Steve McIntyre <[email protected]>
Closes: 1001248 1012865 1020769 1025698 1028301 1031594 1033657
Changes:
grub2 (2.06-9) unstable; urgency=medium
.
[ Steve McIntyre ]
* postinst: make config_item() more robust
* Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865, #1025698.
* Add luks2 to the signed grub efi images. Closes: #1001248
.
[ Ben Hutchings ]
* Fix probing of LUKS2 devices (Closes: #1028301):
- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
parameters
.
[ Emanuele Rocca ]
* Add arm64-handover-to-kernel-if-sb-enabled.patch to fix Secure Boot on
arm64 (Closes: #1033657)
.
[ Mattia Rizzolo ]
* Don't warn about os-prober if it's not installed. Closes: #1020769
Checksums-Sha1:
d89fe4a3dbfb055eed095bab8a352030b4cfd38a 7057 grub2_2.06-9.dsc
46f45db5ba915deeee369110c71ff7441c52121b 1106868 grub2_2.06-9.debian.tar.xz
84bdd2999ce0be45cf0e5257406d5bd1c9054b2b 13200 grub2_2.06-9_source.buildinfo
Checksums-Sha256:
c078344fabe411b40f2a5b79998e371b825d690c770b27458d4712fa9bf646f4 7057
grub2_2.06-9.dsc
d7401daf34162a2c6cc1beccd20386703f646c1a1162674b011101e7b4657ff3 1106868
grub2_2.06-9.debian.tar.xz
35df045b53592d9c75ffc469038a50c5b522adadb8c4c5804f0c33f2cb158383 13200
grub2_2.06-9_source.buildinfo
Files:
dba4c627cbd06c911817bf482306201f 7057 admin optional grub2_2.06-9.dsc
4c1810f4fc7a2d5d312cd55827bdc60e 1106868 admin optional
grub2_2.06-9.debian.tar.xz
5b07d8b2a315edb438a8fcbe981cef95 13200 admin optional
grub2_2.06-9_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmRBrXoRHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6Svg//aAXxQQt3Rt/7Seej5ovcvqStMkxWJZ0G
9urdaEbtHSC6zI2JadLLfplvmapfYppjIY8FrYYfZAYe11bx1s6/fzn0SjAp+Qq9
h/5Ct8gmr9wCH8ne8BWzuiyYY24vJPkX6nFN/VDgthebAiskdLtkUyVFHAEfsiIe
zlf/PACpS1II+04o52ISAnncwNmynCvSOLo/jyEsSTsDcsFFNQl7EHg8dbdbZOB4
PrXjNjZ8qN6nWhpzomChnwpQpFQEV9cLXd5rFCtbv3FtIar0L8EzDU85YtFjzkc5
oTT+xOHFwlUcx0IAmMqCmpgceajMiaHFCjJk9AlONpadbc/oFJx1a3nR34J/fO/F
0pFRj9GGm3A7/oK/cnPV/n/2ulawC51WfI7zES1v9Zh315B7oubANUnQHaUaFn9W
WpkVfA8Evlal3sYwj6okbpRCeymhkKtKzJiyPGJf/zLEDWf6AnNGBGMv1NCA1OJN
5sDLHX/+0Z+3Us6B9NqXN7fOaJ1xKHhzkKacP/yfCx7G1XuWhaMDarscb9Lg/cye
293738Abb1isskAoC+Umuw/qUEHkqrajqSqNvrXvYoV3Ma+471nknv53+dRrx59g
DZccjuofaJpfuRG/w0R6ha/y4NW8/CaAVO3B9R+3/+PUJAVi0f66bb4WbEyXPRH3
4afP2pzeRKs=
=TJpV
-----END PGP SIGNATURE-----
--- End Message ---
