1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • UEFI secure boot issue

    From Bhasker C V@21:1/5 to All on Thu Jun 20 12:20:01 2024
    Hi,

    I generated a pr/pk pair and the kernel is signed. Placed them in the
    kernel tree and compiled the kernel.


    Could someone tell me what am I doing wrong please ?

    Below is the status (I am using loader.efi from linuxfoundation)
    When i boot debian stock kernel signed, i see that the secure boot
    gets enabled (hence bios and everything else seems to be fine with the
    same UEFI loader).
    However, when I boot the compiled kernel I get

    $ dmesg | grep -i secure
    [ 0.007085] Secure boot could not be determined


    $ sbverify --list bootx64.efi
    warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections? signature 1
    image signature issuers:
    - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    image signature certificates:
    - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
    issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
    Corporation/CN=Microsoft Corporation UEFI CA 2011
    - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
    Corporation/CN=Microsoft Corporation UEFI CA 2011
    issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
    Corporation/CN=Microsoft Corporation Third Party Marketplace Root
    $ sbverify --list ./loader.efi
    signature 1
    image signature issuers:
    - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    image signature certificates:
    - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    $ sbverify --list ../../linux/k.bcv
    signature 1
    image signature issuers:
    - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    image signature certificates:
    - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bhasker C V@21:1/5 to [email protected] on Fri Jun 21 06:30:02 2024
    On Thu, Jun 20, 2024 at 3:57 PM Jeffrey Walton <[email protected]> wrote:

    On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V <[email protected]> wrote:

    I generated a pr/pk pair and the kernel is signed. Placed them in the kernel tree and compiled the kernel.

    I don't think you are supposed to check-in/compile-in the private key.
    It is usually supposed to stay private.

    Could someone tell me what am I doing wrong please ?

    Below is the status (I am using loader.efi from linuxfoundation)
    When i boot debian stock kernel signed, i see that the secure boot
    gets enabled (hence bios and everything else seems to be fine with the
    same UEFI loader).
    However, when I boot the compiled kernel I get

    $ dmesg | grep -i secure
    [ 0.007085] Secure boot could not be determined


    $ sbverify --list bootx64.efi
    warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections? signature 1
    image signature issuers:
    - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    image signature certificates:
    - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
    issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root
    $ sbverify --list ./loader.efi
    signature 1
    image signature issuers:
    - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    image signature certificates:
    - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    $ sbverify --list ../../linux/k.bcv
    signature 1
    image signature issuers:
    - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    image signature certificates:
    - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
    issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv


    Have a look at <https://wiki.debian.org/SecureBoot>, and the use of
    the Machine Owner Key (MOK).

    Thanks Jeff. I did follow this.
    Like I had mentioned before, the stock kernel still works in
    locked-down mode with secure boot whereas the kernel I have compiled
    and signed does not.
    Is there a way to debug this on why exactly does this not work ?


    Jeff

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)