subject:"UEFI secure boot issue"

Re: UEFI secure boot issue

2024-06-20 Thread Bhasker C V

On Thu, Jun 20, 2024 at 3:57 PM Jeffrey Walton  wrote:
>
> On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V  wrote:
> >
> > I generated a pr/pk pair and the kernel is signed. Placed them in the
> > kernel tree and compiled the kernel.
>
> I don't think you are supposed to check-in/compile-in the private key.
> It is usually supposed to stay private.
>
> > Could someone tell me what am I doing wrong please ?
> >
> > Below is the status (I am using loader.efi from linuxfoundation)
> > When i boot debian stock kernel signed, i see that the secure boot
> > gets enabled (hence bios and everything else seems to be fine with the
> > same UEFI loader).
> > However, when I boot the compiled kernel I get
> >
> > $ dmesg | grep -i secure
> > [0.007085] Secure boot could not be determined
> >
> >
> > $ sbverify --list bootx64.efi
> > warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
> > signature 1
> > image signature issuers:
> >  - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> > Corporation UEFI CA 2011
> > image signature certificates:
> >  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> > Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
> >issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> > Corporation/CN=Microsoft Corporation UEFI CA 2011
> >  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> > Corporation/CN=Microsoft Corporation UEFI CA 2011
> >issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> > Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> > $ sbverify  --list ./loader.efi
> > signature 1
> > image signature issuers:
> >  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> > image signature certificates:
> >  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> >issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> > $ sbverify  --list ../../linux/k.bcv
> > signature 1
> > image signature issuers:
> >  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> > image signature certificates:
> >  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> >issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>
>
> Have a look at , and the use of
> the Machine Owner Key (MOK).

Thanks Jeff. I did follow this.
Like I had mentioned before, the stock kernel still works in
locked-down mode with secure boot whereas the kernel I have compiled
and signed does not.
Is there a way to debug this on why exactly does this not work ?

>
> Jeff

Re: UEFI secure boot issue

2024-06-20 Thread Jeffrey Walton

On Thu, Jun 20, 2024 at 9:23 AM Bhasker C V  wrote:
>
> I generated a pr/pk pair and the kernel is signed. Placed them in the
> kernel tree and compiled the kernel.

I don't think you are supposed to check-in/compile-in the private key.
It is usually supposed to stay private.

> Could someone tell me what am I doing wrong please ?
>
> Below is the status (I am using loader.efi from linuxfoundation)
> When i boot debian stock kernel signed, i see that the secure boot
> gets enabled (hence bios and everything else seems to be fine with the
> same UEFI loader).
> However, when I boot the compiled kernel I get
>
> $ dmesg | grep -i secure
> [0.007085] Secure boot could not be determined
>
>
> $ sbverify --list bootx64.efi
> warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
> signature 1
> image signature issuers:
>  - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
> Corporation UEFI CA 2011
> image signature certificates:
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>  - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation UEFI CA 2011
>issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
> Corporation/CN=Microsoft Corporation Third Party Marketplace Root
> $ sbverify  --list ./loader.efi
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> $ sbverify  --list ../../linux/k.bcv
> signature 1
> image signature issuers:
>  - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
> image signature certificates:
>  - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
>issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv


Have a look at , and the use of
the Machine Owner Key (MOK).

Jeff

UEFI secure boot issue

2024-06-20 Thread Bhasker C V

Hi,

I generated a pr/pk pair and the kernel is signed. Placed them in the
kernel tree and compiled the kernel.


Could someone tell me what am I doing wrong please ?

Below is the status (I am using loader.efi from linuxfoundation)
When i boot debian stock kernel signed, i see that the secure boot
gets enabled (hence bios and everything else seems to be fine with the
same UEFI loader).
However, when I boot the compiled kernel I get

$ dmesg | grep -i secure
[0.007085] Secure boot could not be determined


$ sbverify --list bootx64.efi
warning: data remaining[91472 vs 101160]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft
Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/OU=MOPR/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft
Corporation/CN=Microsoft Corporation Third Party Marketplace Root
$ sbverify  --list ./loader.efi
signature 1
image signature issuers:
 - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
image signature certificates:
 - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
   issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
$ sbverify  --list ../../linux/k.bcv
signature 1
image signature issuers:
 - /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
image signature certificates:
 - subject: /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv
   issuer:  /C=GB/ST=England/L=London/O=BHASKER/CN=bcvm.bcvm.bcv

Re: UEFI secure boot issue

Re: UEFI secure boot issue

UEFI secure boot issue

3 matches

Site Navigation

Mail list logo

Footer information