Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot secure boot with new Certificate embedded, Verification failed (0x1A) Security Violation #632

Open
ncboot opened this issue Jan 31, 2024 · 2 comments

Comments

@ncboot
Copy link

ncboot commented Jan 31, 2024

We had perfectly running MS signed shim boot loader and Secure Boot worked fine.
But then our Certificate Expired. We need to create new shim boot loader and pass shim-review and MS signing process.

In our Dockerfile I replaced reference to old expired certificate to reference to new Certificate.
Shim 15.7 is built properly from Docker. It is a simple build with command like this:

make VENDOR_CERT_FILE=my-corp.cer

Then I emulate MS signing for this shimx64.efi and sign new grub and kernel using new certificate.
I had written into PC EFI BIOS corresponding emulation databases for PSK, KEK, PK.
I did that many times in the past with our older Certificate embedded into shim.

But now Secure Boot fails with Error "Veriication failed (0x1A) Security Violation"

Question: what are requirements for Certificate? Are any limitations on used crypt algorithms exist?
I am trying to check what is grub signed difference.
I see that with new Certificate signed grub has record "Digest Encryption Algorithm ECC" (left image)
But grub signed with older Certificate has record "Digest Encryption Algorithm RSA" (right image):
image

Can it be issue or not?

Second question is how to debug shim? Can I receive debug messages via serial port or somehow else? Please advise how to configure any debug process!

@eduardacatrinei
Copy link
Contributor

Regarding the debug mode, you can compile shim in verbose mode globals.c:34:UINT32 verbose = 1;

I managed to create a test environment using edk2/ovmf in QEMU link but as far as I know, it does not have built-in support for ECC.

@vathpela
Copy link
Contributor

vathpela commented Feb 6, 2024

Yeah, I wouldn't expect ECC to be well tested since MS still ships RSA keys in system firmwares and there aren't any government requirements (that I know of...) for anything but RSA yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants