grub

Merge ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

  1. Git
  2. lp:~ubuntu-core-dev/grub/+git/ubuntu
  3. check-known-sigs
  4. Merge into ubuntu
Proposed by Mathieu Trudel-Lapierre
Status: Merged
Merged at revision: e085fe375e78d4e5a6df34089cc0440b83a03281
Proposed branch: ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs
Merge into: ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
Diff against target: 121 lines (+62/-2)
3 files modified
debian/canonical-uefi-ca.crt (+25/-0)
debian/grub-check-signatures (+36/-2)
debian/grub-common.install.in (+1/-0)
Reviewer Review Type Date Requested Status
Steve Langasek Needs Fixing
Review via email: mp+361589@code.launchpad.net

Commit message

grub-check-signatures: check kernel signatures against known certs from firmware

Description of the change

Check kernel signatures against the certs we can export from firmware, and against the Canonical cert we can ship on disk (to guard against an empty MokListRT, despite the cert really being known by our shim).

I think the low risk of false positives (saying we trust the Canonical signature when people use their own shim, etc.) is low enough, and it's an unlikely setup already, that people can deal with it on their own.

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) :
review: Needs Fixing
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) :
Revision history for this message
Steve Langasek (vorlon) :

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/canonical-uefi-ca.crt b/debian/canonical-uefi-ca.crt
0new file mode 1006440new file mode 100644
index 0000000..55c06d5
--- /dev/null
+++ b/debian/canonical-uefi-ca.crt
@@ -0,0 +1,25 @@
1-----BEGIN CERTIFICATE-----
2MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
3VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
4FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
5LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
6DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
7IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
8NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
9b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
107Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
11v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
12+ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
13yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
14YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
15BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
16MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
17Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
18b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
19CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
20B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
21WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
22U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
237ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
249JkU284DDgtmxBxtvbgnd8FClL38agq8
25-----END CERTIFICATE-----
diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
index 1c486a1..1daf589 100755
--- a/debian/grub-check-signatures
+++ b/debian/grub-check-signatures
@@ -8,6 +8,7 @@ set -e
8efivars=/sys/firmware/efi/efivars8efivars=/sys/firmware/efi/efivars
9secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c9secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
10moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b2310moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
11tmpdir=$(mktemp -d)
1112
12on_secure_boot() {13on_secure_boot() {
13 # Validate any queued actions before we go try to do them.14 # Validate any queued actions before we go try to do them.
@@ -38,13 +39,44 @@ on_secure_boot() {
38 return 039 return 0
39}40}
4041
42# Retrieve the keys we do trust from PK, DB, KEK, and MokList.
43extract_known_keys() {
44 # Make the Canonical CA cert available for validation too; in case
45 # MokListRT is empty due to a bug.
46 cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir
47
48 # Extract known UEFI certs from firmware variables
49 ( cd $tmpdir; \
50 mokutil --export --db; \
51 mokutil --export --mok >/dev/null 2>/dev/null; \
52 for derfile in *.der; do \
53 openssl x509 -inform der -in $derfile -outform pem -out $derfile.crt; \
54 done )
55}
56
41# Check if a given kernel image is signed57# Check if a given kernel image is signed
42is_signed() {58is_signed() {
43 tmp=$(mktemp)59 tmp=$(mktemp)
44 sbattach --detach $tmp $1 >/dev/null # that's ugly...60 sbattach --detach $tmp $1 >/dev/null 2>/dev/null # that's ugly...
45 test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size61 test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size
46 result=$?62 result=$?
63 if [ $result -eq 0 ]; then
64 sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: )
65 fi
47 rm $tmp66 rm $tmp
67 if [ $result -eq 0 ]; then
68 for crtfile in $tmpdir/*.crt; do
69 sbverify --cert $crtfile $1 >/dev/null 2>/dev/null
70 result=$?
71 if [ $result -eq 0 ]; then
72 return $result;
73 fi
74 done
75 echo "$1 is signed, but using an unknown key:" >&2
76 echo "$sig_subject" >&2
77 else
78 echo "$1 is unsigned." >&2
79 fi
48 return $result80 return $result
49}81}
5082
@@ -71,7 +103,7 @@ find_unsigned() {
71103
72# Only reached from show_warning104# Only reached from show_warning
73error() {105error() {
74 echo "E: Your kernels are unsigned. This system will fail to boot in a secure boot environment." >&2106 echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2
75 exit 1107 exit 1
76}108}
77109
@@ -90,8 +122,10 @@ show_warning() {
90}122}
91123
92if on_secure_boot; then124if on_secure_boot; then
125 extract_known_keys
93 unsigned="$(find_unsigned)"126 unsigned="$(find_unsigned)"
94 if [ -n "$unsigned" ]; then127 if [ -n "$unsigned" ]; then
95 show_warning "$unsigned"128 show_warning "$unsigned"
96 fi129 fi
130 rm -rf "$tmpdir"
97fi131fi
diff --git a/debian/grub-common.install.in b/debian/grub-common.install.in
index 0a562a6..8e31573 100644
--- a/debian/grub-common.install.in
+++ b/debian/grub-common.install.in
@@ -1,6 +1,7 @@
1../../debian/apport/source_grub2.py usr/share/apport/package-hooks/1../../debian/apport/source_grub2.py usr/share/apport/package-hooks/
2../../debian/grub.d etc2../../debian/grub.d etc
3../../debian/grub-check-signatures usr/share/grub/3../../debian/grub-check-signatures usr/share/grub/
4../../debian/canonical-uefi-ca.crt usr/share/grub/
45
5etc/bash_completion.d6etc/bash_completion.d
6etc/grub.d7etc/grub.d

Subscribers

People subscribed via source and target branches