*** This bug is a security vulnerability ***
Public security bug reported:
I try to boot mokmanager. It fails to boot, as it's not signed with
canonical online key, chained to canonical CA, which shim tries to
validate and fails. I see scary blue screen of death with validation
errors.
# sbverify --list /boot/efi/EFI/ubuntu/mmx64.efi
warning: data remaining[1114272 vs 1269496]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/L=SomeCity/O=SomeOrg
image signature certificates:
- subject: /C=US/L=SomeCity/O=SomeOrg/CN=shim
issuer: /C=US/L=SomeCity/O=SomeOrg
shouldn't shim builds, submit shix64.efi mmx64.efi for Canonical online key
signing?
Maybe as separate shim-canonical & shim-canonical-signed packages, which
chain off src:shim? (since we can't easily rebuild shim)
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Tags: rls-gg-incoming
** Information type changed from Public to Public Security
** Tags added: rls-gg-incoming
** Summary changed:
- fail to launch mokmanager
+ fail to launch mokmanager - mmx64.efi is not signed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1880197
Title:
fail to launch mokmanager - mmx64.efi is not signed?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
