SecureBoot : rolling out new shim pkgs for CentOS 7.5.1804 in CR repository – asking for testers/feedback
Thursday, 30, August 2018 Fabian Arrotin Uncategorized No Comments

When we consolidated all CentOS Distro builders in a new centralized setup, covering all arches (so basically x86_64, i386, ppc64le, ppc64, aarch64 and armhfp those days), we wanted also to add redundancy where it was possible to.

The interesting "SecureBoot" corner case came on the table and we had to find a different way to build the following packages:

  •  shim (both signed and unsigned
  • grub2
  • fwupdate
  • kernel

The other reason why we considered rebuilding it is that the cert we were using has expired :

curl --location --silent https://github.com/CentOS/sig-core-SecureBoot/raw/master/CentOS_7/kernel/SOURCES/centos.cer | openssl x509 -inform der -text -noout|grep -A2 Validity

While technically it doesn't really matter for Secureboot itself, it was better to get a new key/cert rolled-in and use the new one for new builds.

That's where it's interesting as because shim embeds the certs in the Machine Owner Key (MOK), and that each other component used in the boot chain is validated against that (so grub2 first, then kernel and kernel modules) that means that once deployed , the new shim would not be able to boot previous grub2/kernel.

But there is a solution for that : instead of "embedding" only the new cert, we can have both the old one and new one, permitting us to still boot older kernels but also the new ones we'll build/push soon (built on the new build system), and that's what we used for that new shim package.

That's where we'd like you (SecureBoot users) to give us feedback about that new shim pkg. It was already validated on some hardware nodes, passed some QA tests, but we'd prefer to have more feedback.

Worth noting that such rebuild has also a patch that should fix an issue we had with shim not allowing to import key in MOK through mokutil (see https://bugs.centos.org/view.php?id=14050)

How can you test ?

If you're using UEFI with SecureBoot enabled , we have signed/pushed those pkgs to the CR repository (see https://wiki.centos.org/AdditionalResources/Repositories/CR)

That repo is by default disabled, but following command would let you update shim :

yum update shim --enablerepo=cr

Then reboot and it should work like before, so validating the boot chain (while still using grub2/kernel packages signed with previous key)

We'd appreciate feedback on this list, or #centos-devel on irc.freenode.net

I'd like to thank Patrick Uiterwijk and Peter Jones for their help for
the patch and validation for that shim

Leave a Reply

Your email address will not be published. Required fields are marked *