在 2020年02月07日 14:15, Kairui Song 写道:
On Fri, Feb 7, 2020 at 12:36 PM lijiang lijiang@redhat.com wrote:
在 2020年02月06日 21:56, Kairui Song 写道:
And an infomation for anyone want to try secure boot with Fedora 31, there is a shim bug that still haven't been fixed, so need to import the Mok key manually. Or both kexec_load and kexec_file_load will fail with default kernel.
How did you reproduce the shim bug? I enrolled the key to the shim installation via the mokutil tool, but I didn't see any errors.
Thanks. Lianbo
Hi Lianbo,
On my laptop, with secure boot enabled and firmware Mok Keyring is empty, Fedora 31 can boot, but neither kexec_load or kexec_file_load will work.
Fedora shim's signature is trusted by Microsoft Corporation UEFI CA which is part of stock keyring so it worked. But the kernel is signed by Fedora Secure Boot CA, it's included in shim, and shim should pass it to kernel via Mok keyring but it didn't.
The keyring on my machine before I import the Mok key manually: Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949' Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 15:12:16 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
There is a known bug that shim will skip passing Mok keyring if the firmware Mok keyring is empty, and after I import a custom Mok keyring manually, I can see shim passing the right kerying (notice Fedora Secure Boot CA get loaded):
Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949' Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:db Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:MokListRT Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'SomeOrg: Kairui Song: 866ba9a71803004ef4a1dc0a56995ba6e993c717' Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loading X.509 certificate: UEFI:MokListRT Feb 06 22:15:46 kasong-rh-laptop kernel: integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
This a shim bug and this patch works well, there is no workaround we can do for kexec-tools, we can only wait for shim to fix it.
OK. Thanks for the explanation in detail.