[CentOS-devel] SecureBoot : rolling out new shim pkgs for CentOS 7.5.1804 in CR repository - asking for testers/feedback

Thu Aug 30 06:10:38 UTC 2018
Fabian Arrotin <arrfab at centos.org>

When we consolidated all CentOS Distro builders in a new centralized
setup, covering all arches (so basically x86_64, i386, ppc64le, ppc64,
aarch64 and armhfp those days), we wanted also to add redundancy where
it was possible to.

The interesting "SecureBoot" corner case came on the table and we had to
find a different way to build the following packages:
 - shim (both signed and unsigned)
 - grub2
 - fwupdate
 - kernel

The other reason why we considered rebuilding it is that the cert we
were using has expired :

curl --location --silent
https://github.com/CentOS/sig-core-SecureBoot/raw/master/CentOS_7/kernel/SOURCES/centos.cer
| openssl x509 -inform der -text -noout|grep -A2 Validity

While technically it doesn't really matter for Secureboot itself, it was
better to get a new key/cert rolled-in and use the new one for new builds.

That's where it's interesting as because shim embeds the certs in the
Machine Owner Key (MOK), and that each other component used in the boot
chain is validated against that (so grub2 first, then kernel and kernel
modules) that means that once deployed , the new shim would not be able
to boot previous grub2/kernel.

But there is a solution for that : instead of "embedding" only the new
cert, we can have both the old one and new one, permitting us to still
boot older kernels but also the new ones we'll build/push soon (built on
the new build system), and that's what we used for that new shim package.

That's where we'd like you (SecureBoot users) to give us feedback about
that new shim pkg. It was already validated on some hardware nodes,
passed some QA tests, but we'd prefer to have more feedback.

Worth noting that such rebuild has also a patch that should fix an issue
we had with shim not allowing to import key in MOK through mokutil (see
https://bugs.centos.org/view.php?id=14050)

How can you test ?

If you're using UEFI with SecureBoot enabled , we have signed/pushed
those pkgs to the CR repository (see
https://wiki.centos.org/AdditionalResources/Repositories/CR)

That repo is by default disabled, but following command would let you
update shim :

yum update shim --enablerepo=cr

Then reboot and it should work like before, so validating the boot chain
(while still using grub2/kernel packages signed with previous key)

We'd appreciate feedback on this list, or #centos-devel on irc.freenode.net


I'd like to thank Patrick Uiterwijk and Peter Jones for their help for
the patch and validation for that shim

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20180830/9f2bda39/attachment-0007.sig>