seloader skip checking PE and p7b signature

jiazhang0 / SELoader

Secure EFI Loader designed to authenticate the non-PE files

BSD 3-Clause "New" or "Revised" License

47 stars 22 forks source link

seloader skip checking PE and p7b signature #2

Closed yunguowei closed 7 years ago

yunguowei commented 7 years ago

Hi Jia, I'm running into a problem, with upstream SecureCore on qemu, grubx64.efi and grub.cfg.p7b checking are bypassed. For example, if grub.cfg.p7b is removed or grubx64.efi is signed by a unknown key, seloader can boot grub, which is not an expected behavior.

Sounds in MokVerifyProtocolInstalled(), seloader can't locate gEfiMokVerifyProtocolGuid, see:

Status = EfiProtocolLocate(&gEfiMokVerifyProtocolGuid, (VOID **)&MokVerifyProtocol);

I guess gEfiMokVerifyProtocolGuid is installed by shim loader, but why this protocol is not located by seloader?

Can you help with this?

Thanks, Yunguo

jiazhang0 commented 7 years ago

@yunguowei It may be either way which can make shim refusing to install MOK Verify Protocol even shim is actually involved during the boot.

UEFI Secure Boot is disabled.
MOK Secure Boot is explicitly disabled.

Plz check whether your running environment belongs to either case.

jiazhang0 commented 7 years ago

@yunguowei I can reproduce this issue. The root cause is due to calling fallback, leading shim uninstalling MOK Verify Protocol. Getting rid of this logic is simple, but this means shim has to be patched and this modification would be rejected by Redhat's reviewers when you are requesting MSFT signing.

yunguowei commented 7 years ago

@jiazhang0 Yes, I have found out that fallback introduced this issue. But still not locate where(source code) fallback uninstall shim's MOK Verify Protocal. Can you advise more about it? fallback has some issue with setting BootOrder on NUC boards. SELoaderx64.efi is set to BootOrder and this leads to UEFI SB verify failed.

MSFT signing might not be a priority for now, so I would like to take fallback away. What do you think?

jiazhang0 commented 7 years ago

@yunguowei I agree with dropping fallback anyway. Introducing fallback is intended to work around MSFT signing review which needs to touch shim source code. However the latest fallback cannot work with SELoader well. Note that dropping fallback still blocks MSFT signing review, unless you would like to exchange the names between SELoader to grub.

Next I will do the items below this weekend.

Drop fallback boot flow
Update READM
Update shim to the latest

jiazhang0 commented 7 years ago

@yunguowei This issue is resolved in the latest meta-secure-core.