[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GRUB fails to trust built-in public key
|
From: |
Andrei Borzenkov |
|
Subject: |
Re: GRUB fails to trust built-in public key |
|
Date: |
Sun, 27 Mar 2022 18:53:39 +0300 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 |
On 27.03.2022 14:00, lolock wrote:
> Hello everyone
>
> I am trying to set up Secure boot on my Gentoo machine. I use
> grub-mkstandalone to generate an image that is signed by a firmware key.
> I then expect GRUB to verify my kernel with its detached signature,
> using a public key I embedded with the --pubkey option. If and only if
> the signature matches, the system should boot.
>
> GRUB does successfully start and show the menu entries. If I select one,
> it fails with the error "error: public key b625168013908c5d not found."
> If I enter the GRUB shell, list_trusted returns nothing. The variable
> check_signatures is not automatically set to "enforce", despite the fact
> I used the --pubkey option. If I load the key manually with --skip-sig,
> I can successfully verify the kernel and boot the system in Secure boot
> mode with verify_detached.
>
> So, the problem is that GRUB does not add the key I provided with
> --pubkey to its trust store. However, the key is actually there in the
> EFI image, as I checked with a hexdump of the image and the key.
>
The key is added by pgp module init function. This function walks
modules embedded in grub image (public key is represented as a "module"
of specific type). These modules are only available during image
initialization; when it is completed, modules are discarded (depending
on platform, memory can be reused). To use public key embedded in grub
image you must also embed pgp module itself. May be grub-mkimage should
add pgp module automatically if --pubkey is given, as otherwise it is
useless.
> The exact command:
>
> grub-mkstandalone --pubkey /boot/grub/grub.pub --verbose --directory
> /usr/lib/grub/x86_64-efi/ --format x86_64-efi --modules part_gpt fat
> ext2 configfile gcry_sha512 gcry_dsa gcry_sha256 gcry_rsa
> password_pbkdf2 echo normal linux linuxefi all_video search
> search_fs_uuid reboot sleep loadenv minicmd test echo font
pgp module is missing
> --disable-shim-lock --output /boot/EFI/gentoo/grubx64.efi
> /boot/grub/grub.cfg=/etc/default/grub-initial.cfg
> /boot/grub/grub.cfg.sig=/etc/default/grub-initial.cfg.sig
>
> If I enable some debug flags, this is the output:
>
> grub> verify_detached /vmlinuz-5.15.26-gentoo-x86_64
pgp module is (auto-)loaded when you use one of commands it provides. It
did not add public key embedded into image because this public key was
already discarded at this point.
> /vmlinuz-5.15.26-gentoo-x86_64.sig
> kern/verifiers.c:212: string: verify_detached
> /vmlinuz-5.15.26-gentoo-x86_64 /vmlinuz-5.15.26-gentoo-x86_64.sig, type 2
> commands/pgp.c:823: alive
> commands/pgp.c:828: alive
> kern/verifiers.c:88: file: /vmlinuz-5.15.26-gentoo-x86_64 type: 59
> kern/verifiers.c:88: file: /vmlinuz-5.15.26-gentoo-x86_64.sig type: 131102
> kern/verifiers.c:88: file: (memdisk)/boot/grub/x86_64-efi/gcry_sha1.mod
> type: 1
> commands/pgp.c:496: alive
> commands/pgp.c:593: alive
> commands/pgp.c:602: @ 34
> commands/pgp.c:608: alive
> commands/pgp.c:611: alive
> commands/pgp.c:613: l = 0x0c00
> commands/pgp.c:616: alive
> commands/pgp.c:619: alive
> commands/pgp.c:621: alive
> commands/pgp.c:626: alive
> error: public key b625168013908c5d not found.
>
Correct.
> I have posted this problem with some more detail on
> https://forums.gentoo.org/viewtopic-t-1147754-highlight-.html
>
> What Am I doing wrong?
>
If you embed public key and want it to be actually used you also need to
embed pgp module.
> Any help is greatly appreciated, thanks in advance.
>
> Greetings,
>
> lolock
>