Discussion:
UEFI secure boot issue
(too old to reply)
Bhasker C V
2024-06-20 10:20:01 UTC
Permalink
Hi,

I generated a pr/pk pair and the kernel is signed. Placed them in the
kernel tree and compiled the kernel.


Could someone tell me what am I doing wrong please ?

Below is the status (I am using loader.efi from linuxfoundation)
When i boot debian stock kernel signed, i see that the secure boot
gets enabled (hence bios and everything else seems to be fine with the
same UEFI loader).
However, when I boot the compiled kernel I get

$ dmesg | grep -i secure
[ 0.007085] Secure boot could not be determined


$ sbverify --list bootx64.efi
warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Corporation UEFI CA 2011
image signature certificates:
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify --list ./loader.efi
signature 1
image signature issuers:
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
image signature certificates:
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
$ sbverify --list ../../linux/k.bcv
signature 1
image signature issuers:
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
image signature certificates:
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
Jeffrey Walton
2024-06-20 15:00:01 UTC
Permalink
Post by Bhasker C V
I generated a pr/pk pair and the kernel is signed. Placed them in the
kernel tree and compiled the kernel.
I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.
Post by Bhasker C V
Could someone tell me what am I doing wrong please ?
Below is the status (I am using loader.efi from linuxfoundation)
When i boot debian stock kernel signed, i see that the secure boot
gets enabled (hence bios and everything else seems to be fine with the
same UEFI loader).
However, when I boot the compiled kernel I get
$ dmesg | grep -i secure
[ 0.007085] Secure boot could not be determined
$ sbverify --list bootx64.efi
warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
signature 1
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify --list ./loader.efi
signature 1
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
$ sbverify --list ../../linux/k.bcv
signature 1
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
Have a look at <https://wiki.debian.org/SecureBoot>, and the use of
the Machine Owner Key (MOK).

Jeff
Bhasker C V
2024-06-21 04:30:02 UTC
Permalink
Post by Jeffrey Walton
Post by Bhasker C V
I generated a pr/pk pair and the kernel is signed. Placed them in the
kernel tree and compiled the kernel.
I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.
Post by Bhasker C V
Could someone tell me what am I doing wrong please ?
Below is the status (I am using loader.efi from linuxfoundation)
When i boot debian stock kernel signed, i see that the secure boot
gets enabled (hence bios and everything else seems to be fine with the
same UEFI loader).
However, when I boot the compiled kernel I get
$ dmesg | grep -i secure
[ 0.007085] Secure boot could not be determined
$ sbverify --list bootx64.efi
warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
signature 1
- /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
- subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
issuer: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify --list ./loader.efi
signature 1
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
$ sbverify --list ../../linux/k.bcv
signature 1
- /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
- subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
issuer: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
Have a look at <https://wiki.debian.org/SecureBoot>, and the use of
the Machine Owner Key (MOK).
Thanks Jeff. I did follow this.
Like I had mentioned before, the stock kernel still works in
locked-down mode with secure boot whereas the kernel I have compiled
and signed does not.
Is there a way to debug this on why exactly does this not work ?
Post by Jeffrey Walton
Jeff
Loading...