Closed nasastry closed 11 months ago
Couldn't read the SBAT secvar:
# secvarctl read -n sbat
READING sbat :
ESL SIG LIST SIZE: 51
GUID is : 50ab5d6046e00043abb63dd810dd8b23
Signature type is: SBAT
Data: sbat,1
DELETE-MSG: sbat,1
ERROR: invalid signature type
Found 0 ESL's
RESULT: SUCCESS
with internal secvarctl could read SBAT:
# /home/secvarctl/secvarctl -m guest read -n sbat
READING sbat :
Timestamp: 0000-00-00 00:00:00 UTC
ESL SIG LIST SIZE: 51
GUID is : 50ab5d6046e00043abb63dd810dd8b23
Signature type is: SBAT
Data: sbat,1
Found 1 ESL's
RESULT: SUCCESS
with RC2 could read all grubdb and sbat
[root@ltcrain80-lp2 home]# secvarctl read -n sbat
READING sbat :
ESL 1:
ESL SIG LIST SIZE: 51
GUID is : 50ab5d6046e00043abb63dd810dd8b23
Signature type is: SBAT
Data: sbat,1
Found 1 ESL's
RESULT: SUCCESS
[root@ltcrain80-lp2 home]# secvarctl read -n grubdb
READING grubdb :
ESL 1:
ESL SIG LIST SIZE: 1083
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:c7:bb:59:b7:7e:97:a6:9c:08:b1:d3:8c:39:a0:8f:35:04:0f:4a
Signature Algorithm: sha256WithRSAEncryption
Issuer:
organizationName = IBM Corporation
organizationalUnitName = Power Systems
commonName = Guest Secure Boot Imprint Certificate Authority
emailAddress = daniel.axtens1@ibm.com
Validity
Not Before: Dec 8 17:46:17 2022 GMT
Not After : Nov 14 17:46:17 2122 GMT
Subject:
organizationName = IBM Corporation
organizationalUnitName = Power Systems
commonName = Guest Secure Boot Imprint Signing Key
emailAddress = daniel.axtens1@ibm.com
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
35:16:B1:78:B7:78:AD:AD:97:95:EE:1A:4C:85:58:B6:20:ED:6D:69
X509v3 Authority Key Identifier:
85:42:F6:AF:EE:9C:10:2D:47:18:5D:B8:09:66:09:CF:72:00:6B:F7
ESL 2:
ESL SIG LIST SIZE: 1595
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
5b:5e:59:f2:5f:75:4c:8e:c5:3a:91:07:e9:e7:6d:3c:d0:7f:91:fd
Signature Algorithm: sha256WithRSAEncryption
Issuer:
organizationName = IBM Corporation
organizationalUnitName = Power Systems
commonName = Guest Secure Boot Imprint Certificate Authority
emailAddress = daniel.axtens1@ibm.com
Validity
Not Before: Jul 9 02:28:42 2020 GMT
Not After : Jun 15 02:28:42 2120 GMT
Subject:
organizationName = IBM Corporation
organizationalUnitName = Power Systems
commonName = Guest Secure Boot Imprint Signing Key
emailAddress = daniel.axtens1@ibm.com
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
10:48:56:E0:67:BC:D0:BA:2B:16:06:BB:82:B3:78:D4:5D:F5:00:5A
X509v3 Authority Key Identifier:
A2:3C:CD:7B:F9:D1:7E:8C:76:2B:C8:DD:E1:B1:3D:FC:E0:CF:24:81
ESL 3:
ESL SIG LIST SIZE: 960
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d3:9c:41:33:dd:6b:5f:45
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = Red Hat Secure Boot CA 6
emailAddress = secalert@redhat.com
Validity
Not Before: Feb 15 14:00:44 2021 GMT
Not After : Jan 17 14:00:44 2038 GMT
Subject:
commonName = Red Hat Secure Boot Signing 602
emailAddress = secalert@redhat.com
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Subject Key Identifier:
6C:E4:6C:27:AA:CD:0D:4B:74:21:A4:F6:5F:87:B5:31:FE:10:BB:A7
X509v3 Authority Key Identifier:
E8:6A:1C:AB:2C:48:F9:60:36:A2:F0:7B:8E:D2:9D:B4:2A:28:98:C8
ESL 4:
ESL SIG LIST SIZE: 938
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
da:2b:65:5e:2e:d5:a7:bb
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = Red Hat Secure Boot CA 7
emailAddress = secalert@redhat.com
Validity
Not Before: Jun 8 18:29:10 2022 GMT
Not After : Jan 17 18:29:10 2038 GMT
Subject:
commonName = Red Hat Secure Boot Signing 702
emailAddress = secalert@redhat.com
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Subject Key Identifier:
74:91:10:FD:C5:2A:50:93:AD:5D:BD:4B:3D:A9:04:F1:3C:8B:6F:FC
X509v3 Authority Key Identifier:
0.
ESL 5:
ESL SIG LIST SIZE: 1332
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:87:85:b7:8f:fc:12:80
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = SUSE Linux Enterprise Secure Boot CA
countryName = DE
localityName = Nuremberg
organizationName = SUSE Linux Products GmbH
organizationalUnitName = Build Team
emailAddress = build@suse.de
Validity
Not Before: May 25 12:38:03 2022 GMT
Not After : Dec 31 12:38:03 2032 GMT
Subject:
commonName = SUSE Linux Enterprise Secure Boot Signkey
countryName = DE
localityName = Nuremberg
organizationName = SUSE Linux Products GmbH
organizationalUnitName = Build Team
emailAddress = build@suse.de
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
0A:C6:2B:1F:3F:53:42:71:13:25:86:E2:9D:3B:10:41:59:1C:82:4A
X509v3 Authority Key Identifier:
keyid:F3:3F:A2:2E:F2:8F:CB:9D:C1:8D:43:D2:0B:C7:EF:65:C1:C5:65:E4
DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
serial:01
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
ESL 6:
ESL SIG LIST SIZE: 1332
GUID is : a159c0a5e494a74a87b5ab155c2bf072
Signature type is: X509
Certificate-1: Found certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ca:fc:b5:d7:5e:c5:89:82
Signature Algorithm: sha256WithRSAEncryption
Issuer:
commonName = SUSE Linux Enterprise Secure Boot CA
countryName = DE
localityName = Nuremberg
organizationName = SUSE Linux Products GmbH
organizationalUnitName = Build Team
emailAddress = build@suse.de
Validity
Not Before: Mar 1 13:56:59 2023 GMT
Not After : Sep 28 13:56:59 2033 GMT
Subject:
commonName = SUSE Linux Enterprise Secure Boot Signkey
countryName = DE
localityName = Nuremberg
organizationName = SUSE Linux Products GmbH
organizationalUnitName = Build Team
emailAddress = build@suse.de
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A7:46:B6:4B:6C:B7:1F:13:38:56:38:05:5F:46:16:2B:AC:63:2A:CD
X509v3 Authority Key Identifier:
keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de
serial:01
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Found 6 ESL's
RESULT: SUCCESS
While reading the grubdb: it has 6 ESL’s but secvarctl read only one and thrown error.
with the internal secvarctl (probable git head at e3658f2ce5d0089e72eb243e8deacaa2ddd577a4) it was showing all 6 ESLs