search

Foxboron / sbctl

:computer: :lock: :key: Secure Boot key manager
MIT License
1.49k stars 86 forks source link

failed parsing pkcs7 signature from binary #373

Closed marmitar closed 2 weeks ago

marmitar commented 2 months ago

Was just testing Grml for recovery (via grml-systemd-boot) and verification step is not working nicely. It just outputs the following error:

> sudo sbctl verify /efi/grml/vmlinuz
failed parsing pkcs7 signature from binary: incorrect, expected 1.3.6.1.4.1.311.2.1.4, got 1.3.6.1.4.1.311.2.1.21

This does not show up for the first sign, only when verifying the image after signed. The image is still bootable, though, so nothing critical, I guess. This error does not affect other images nor executables in ESP.

Foxboron commented 2 months ago

This was fixed with 0.15.4.

https://github.com/Foxboron/go-uefi/commit/e2076f0e58ca8de9e6e55f4662432700d26fe5c0

marmitar commented 2 months ago

Sorry, I forgot to add my system info, but I'm already on latest version here: 

> pacman -Qi sbctl
Name            : sbctl
Version         : 0.15.4-1
# ...
Packager        : Morten Linderud <foxboron@archlinux.org>
Build Date      : qua 07 ago 2024 09:33:09
Install Date    : sex 09 ago 2024 02:02:51
Install Reason  : Explicitly installed
Install Script  : No
Validated By    : Signature

So, I was already on latest version here, but I reinstalled sbctl and grml-sytemd-boot and rebooted just to ensure everything is up-to-date. The error message is still there:

> sudo sbctl verify 
Verifying file database and EFI images in /efi...
✓ /efi/EFI/tools/poweroff.efi is signed
✓ /efi/EFI/tools/reboot.efi is signed
✓ /efi/EFI/Linux/arch-linux-fallback.efi is signed
✓ /efi/EFI/Linux/arch-linux.efi is signed
✓ /efi/EFI/memtest86/memtestx64.efi is signed
✓ /efi/EFI/systemd/systemd-bootx64.efi is signed
✓ /efi/shellx64.efi is signed
failed parsing pkcs7 signature from binary: incorrect, expected 1.3.6.1.4.1.311.2.1.4, got 1.3.6.1.4.1.311.2.1.21

One thing to note, I don't have Microsoft keys enrolled:

> sbctl status
Installed:  ✓ sbctl is installed
Setup Mode: ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    tpm-eventlog
Foxboron commented 2 months ago

Please upload /efi/grml/vmlinuz somewhere so I can look at it.

marmitar commented 2 months ago

Ok, I've uploaded to a MEGA folder: https://mega.nz/folder/t6FiwQiD#hpvmOzaa-764b8RGK5LWCw.

vmlinuz is the same file from grml64-small_2024.02.iso, and vmlinuz-signed is the one signed with my keys at /efi/grml/vmlinuz.

marmitar commented 2 months ago

Oh, another information I forgot to add, I'm using the tpm type for KEK and PK:

> sudo sbctl setup --print-config 
landlock: true
keydir: /var/lib/sbctl/keys
guid: /var/lib/sbctl/GUID
files_db: /var/lib/sbctl/files.json
bundles_db: /var/lib/sbctl/bundles.json
db_additions:
- tpm-eventlog
files:
# ...
keys:
  pk:
    privkey: /var/lib/sbctl/keys/PK/PK.key
    pubkey: /var/lib/sbctl/keys/PK/PK.pem
    type: tpm
  kek:
    privkey: /var/lib/sbctl/keys/KEK/KEK.key
    pubkey: /var/lib/sbctl/keys/KEK/KEK.pem
    type: tpm
  db:
    privkey: /var/lib/sbctl/keys/db/db.key
    pubkey: /var/lib/sbctl/keys/db/db.pem
    type: file
Foxboron commented 2 months ago

okay, lol.

The issue is fixed. sbctl just doesn't pull the last commit from go-uefi.

I'll fix this at some point in the next couple of days.

marmitar commented 2 months ago

Oh, nice! Thanks for finding this so fast.

pkern commented 2 weeks ago

@Foxboron, thanks for sbctl! Could go.mod be updated to include the fix? It looks like this happens with standard Debian kernels from testing/unstable.

Foxboron commented 2 weeks ago

@pkern yes. I intend to do a release within a few days.

Foxboron commented 2 weeks ago

Fixed with https://github.com/Foxboron/sbctl/commit/6855f246e02ca80019e70bfb9db28af91788ee7e