Issue with overwriting .sig and resigning .efi

Question

Issue with overwriting .sig and resigning .efi

Closed this issue 4 years ago · 8 comments

StarryTony commented 4 years ago

Hi, thanks for your work. I am running Archlinux with UEFI secure mode. Currently I have two issues:

The script will generate *.sig files and try to overwrite them again for signing purpose. I have to answer yes for each overwriting individually otherwise it will create a new rename file for each *.sig.
As /boot/EFI/grub/*.efi has been signed for security boot mode, should the script exclude *.efi to avoid double signing?

Answer 1 · 2021-02-02T12:38:36.000Z

Hey,

Which script are you talking about?
I have barely experience in having EFI. If you say that this script should exclude them, we could do that.

Answer 2 · 2021-02-02T12:45:22.000Z

Hi, 1. It’s the grub-sign scripts which sign all files in esp. But it also signs *.sig generated by itself and leads overwriting. 2. As .EFI have signatures signed by Microsoft to enable secure boot, resign could make their signatures be invalid. Thank you. On 2 Feb 2021, at 12:38, Bandie <notifications@github.com> wrote: Hey, 1. Which script are you talking about? 2. I have barely experience in having EFI. If you say that this script should exclude them, we could do that. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACINJO27TPXELNVIB5J3BTTS47W5ZANCNFSM4W6O5U6A>.

Answer 3 · 2021-02-02T12:55:26.000Z

To 1.: This sounds like it couldn't delete the old signatures before creating the new ones.. Do you run it as root?
To 2.: I'll look into that then.

Answer 4 · 2021-02-02T13:01:56.000Z

To 1.: Sure, I run as root. It prompts me to overwrite each .sig file (Y/N). No existing .sig file before running the script. I can see all existing .sig files are generated by the script. So they are not old? Thank you. On 2 Feb 2021, at 12:55, Bandie <notifications@github.com> wrote: To 1.: This sounds like it couldn't delete the old signatures before creating the new ones.. Do you run it as root? To 2.: I'll look into that then. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACINJOYLA6HJO57AMEFB5N3S47Y45ANCNFSM4W6O5U6A>.

Answer 5 · 2021-02-02T13:09:47.000Z

hmh.. can you tell me which signature files exactly it tries to overwrite?

Answer 6 · 2021-02-02T13:20:24.000Z

Hi, the script generates signatures for all files in esp. Therefore, it overwrites all .sig. For example, it generates a vmlinuz-linux.sig for vmlinuz-linux and then overwrites itself. On 2 Feb 2021, at 13:10, Bandie <notifications@github.com> wrote: hmh.. can you tell me which signature files exactly it tries to overwrite? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACINJOZBZ2VHO34ZHFL57NDS472SZANCNFSM4W6O5U6A>.

Answer 7 · 2021-02-06T22:15:08.000Z

Right now grub-sign signs every file in /boot. This is a script you use only once per grub-install.
If you do kernel upgrades, one should run grub-update-kernel-signature as it removes /boot/*.sig and resigns it.

Answer 8 · 2021-02-06T23:54:17.000Z

Hi, Understand. But EFI are validated by shim as secure boot used. The validation chain looks like this: shim -> EFI -> Grub -> other grub files. I guess no need to re-sign EFI and Grub themselves. And most importantly, by removing an .efi file’s signature will prevent the computer boot from secure boot mode. Because EFI signatures have to be validated by UEFI boot loader. The issue is that grub-sign signs everything without excluding EFI. But it’s a must to keep EFI’s signatures to be validated by shim. On 6 Feb 2021, at 22:15, Bandie <notifications@github.com> wrote: Right now grub-sign signs every file in /boot. This is a script you use only once per grub-install. If you do kernel upgrades, one should run grub-update-kernel-signature as it removes /boot/*.sig and resigns it. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#10 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACINJO7UZNCKNNA7BQPFWR3S5W5PXANCNFSM4W6O5U6A>.