rhshim introduced a MokListTrusted event, leading to failed parsing of the SecureBootState
malt3 opened this issue · 0 comments
malt3 commented
Change in redhat shim loader: rhboot/shim@4e51340
Example event log entry:
- EventNum: 25
PCRIndex: 7
EventType: EV_EFI_VARIABLE_AUTHORITY
DigestCount: 3
Digests:
- AlgorithmId: sha384
Digest: "841b29f5200c91e1a02e64a6636587bac5b85496a67e6d3c3cf52415a7ab726b4d2259134d84e9082191ac8ee15b7890"
- AlgorithmId: sha256
Digest: "5f62a2107fa11ce0485fd252d2e6c603cb8ed075861f9513bfed0a26bf6ed62b"
- AlgorithmId: sha1
Digest: "3efeb87af48ab5aee7fcbd3514bab719ed865c1c"
EventSize: 61
Event:
VariableName: 605dab50-e046-4300-abb6-3dd810dd8b23
UnicodeNameLength: 14
VariableDataLength: 1
UnicodeName: MokListTrusted
VariableData: "01"
- EventNum: 26
PCRIndex: 14
EventType: EV_IPL
DigestCount: 3
Digests:
- AlgorithmId: sha384
Digest: "8d2ce87d86f55fcfab770a047b090da23270fa206832dfea7e0c946fff451f819add242374be551b0d6318ed6c7d41d8"
- AlgorithmId: sha256
Digest: "4bf5122f344554c53bde2ebb8cd2b7e3d1600ad631c385a5d7cce23c7785459a"
- AlgorithmId: sha1
Digest: "bf8b4530d8d246dd74ac53a13471bba17941dff7"
EventSize: 15
Event:
String: |-
MokListTrustedMokListTrusted is measured using EV_EFI_VARIABLE_AUTHORITY: https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/MokVars.txt#L81-L82 and https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/mok.c#L169-L182
This causes an issue with ParseUEFIVariableAuthority, as it assumes that an event with type EV_EFI_VARIABLE_AUTHORITY can be parsed as EFI_SIGNATURE_DATA, per section 3.3.4.8 of the TCG PC Client Platform Firmware Profile Specification.
This issue is very similar to #222, where a workaround was implemented to ignore SbatLevel events.
Error returned by ParseSecurebootState:
failed parsing EFI variable authority at event 25: invalid signature: buffer smaller than header (1 < 16)"