grub

Merge ~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

Proposed by Mathieu Trudel-Lapierre on 2019-01-10

Status:	Merged
Merged at revision:	e085fe375e78d4e5a6df34089cc0440b83a03281
Proposed branch:	~ubuntu-core-dev/grub/+git/ubuntu:check-known-sigs
Merge into:	~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
Diff against target:	121 lines (+62/-2) 3 files modified debian/canonical-uefi-ca.crt (+25/-0) debian/grub-check-signatures (+36/-2) debian/grub-common.install.in (+1/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Steve Langasek		2019-01-10	Needs Fixing on 2019-01-11
Review via email: mp+361589@code.launchpad.net

Commit message

grub-check-signatures: check kernel signatures against known certs from firmware

Description of the change

Check kernel signatures against the certs we can export from firmware, and against the Canonical cert we can ship on disk (to guard against an empty MokListRT, despite the cert really being known by our shim).

I think the low risk of false positives (saying we trust the Canonical signature when people use their own shim, etc.) is low enough, and it's an unlikely setup already, that people can deal with it on their own.

Revision history for this message

Steve Langasek (vorlon) on 2019-01-11:

review: Needs Fixing

Revision history for this message

Mathieu Trudel-Lapierre (cyphermox) on 2019-01-11:

Revision history for this message

Steve Langasek (vorlon) on 2019-01-11:

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Julian Andres Klode

Ubuntu Core Development Team

 diff --git a/debian/canonical-uefi-ca.crt b/debian/canonical-uefi-ca.crt
 new file mode 100644
 index 0000000..55c06d5
 --- /dev/null
 +++ b/debian/canonical-uefi-ca.crt
@@ -0,0 +1,25 @@
++-----BEGIN CERTIFICATE-----
++MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD
++VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx
++FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk
++LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX
++DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m
++IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x
++NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo
++b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h
++7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7
++v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO
+++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr
++yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk
++YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO
++BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj
++MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB
++Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu
++b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB
++CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd
++B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH
++WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx
++U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd
++7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p
++9JkU284DDgtmxBxtvbgnd8FClL38agq8
++-----END CERTIFICATE-----
 diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
 index 1c486a1..1daf589 100755
 --- a/debian/grub-check-signatures
 +++ b/debian/grub-check-signatures
@@ -8,6 +8,7 @@ set -e
  efivars=/sys/firmware/efi/efivars
  secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
  moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
++tmpdir=$(mktemp -d)
  on_secure_boot() {
  	# Validate any queued actions before we go try to do them.
@@ -38,13 +39,44 @@ on_secure_boot() {
  	return 0
+ }
++# Retrieve the keys we do trust from PK, DB, KEK, and MokList.
++extract_known_keys() {
++	# Make the Canonical CA cert available for validation too; in case
++	# MokListRT is empty due to a bug.
++	cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir
++
++	# Extract known UEFI certs from firmware variables
++	( cd $tmpdir; \
++		mokutil --export --db; \
++		mokutil --export --mok >/dev/null 2>/dev/null; \
++		for derfile in *.der; do \
++			openssl x509 -inform der -in $derfile -outform pem -out $derfile.crt; \
++		done )
++}
++
  # Check if a given kernel image is signed
  is_signed() {
  	tmp=$(mktemp)
--	sbattach --detach $tmp $1 >/dev/null  	# that's ugly...
++	sbattach --detach $tmp $1 >/dev/null 2>/dev/null 	# that's ugly...
  	test "$(wc -c < $tmp)" -ge 16	# Just _some_ minimum size
  	result=$?
++	if [ $result -eq 0 ]; then
++		sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: )
++	fi
  	rm $tmp
++	if [ $result -eq 0 ]; then
++		for crtfile in $tmpdir/*.crt; do
++			sbverify --cert $crtfile $1 >/dev/null 2>/dev/null
++			result=$?
++			if [ $result -eq 0 ]; then
++				return $result;
++			fi
++		done
++		echo "$1 is signed, but using an unknown key:" >&2
++		echo "$sig_subject" >&2
++	else
++		echo "$1 is unsigned." >&2
++	fi
  	return $result
+ }
@@ -71,7 +103,7 @@ find_unsigned() {
  # Only reached from show_warning
  error() {
--	echo "E: Your kernels are unsigned. This system will fail to boot in a secure boot environment." >&2
++	echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2
  	exit 1
+ }
@@ -90,8 +122,10 @@ show_warning() {
+ }
  if on_secure_boot; then
++	extract_known_keys
  	unsigned="$(find_unsigned)"
  	if [ -n "$unsigned" ]; then
  		show_warning "$unsigned"
  	fi
++	rm -rf "$tmpdir"
  fi
 diff --git a/debian/grub-common.install.in b/debian/grub-common.install.in
 index 0a562a6..8e31573 100644
 --- a/debian/grub-common.install.in
 +++ b/debian/grub-common.install.in
@@ -1,6 +1,7 @@
  ../../debian/apport/source_grub2.py	usr/share/apport/package-hooks/
  ../../debian/grub.d			etc
  ../../debian/grub-check-signatures usr/share/grub/
++../../debian/canonical-uefi-ca.crt usr/share/grub/
  etc/bash_completion.d
  etc/grub.d