886199 – mokutil calculates incorrect signature size

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 886199 - mokutil calculates incorrect signature size

Summary: mokutil calculates incorrect signature size

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	shim
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Matthew Garrett
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedNTH RejectedBlocker
Depends On:
Blocks:	F18-accepted, F18FinalFreezeExcept 886212
TreeView+	depends on / blocked

Reported:	2012-12-11 18:48 UTC by Josh Boyer
Modified:	2012-12-20 13:03 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-20 12:40:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Boyer 2012-12-11 18:48:18 UTC

Description of problem:

When using mokutil to import a new certificate, it calculates the wrong size for the cert.  According to the UEFI spec, it should be:

"...16 (size of the SignatureOwner component) + the size of the certificate itself."

However, mokutil is calculating this as:

CertList->SignatureSize = sizes[i] + sizeof(EFI_SIGNATURE_DATA) + 
             16;

The sizeof(EFI_SIGNATURE_DATA) there is not necessary.  This happens to throw the kernel into a fit and it fails to parse certs stored in MokListRT.

Version-Release number of selected component (if applicable):

shim-unsigned-0.2-2.fc18.1.x86_64

How reproducible:

Always

Steps to Reproduce:
1. import a cert with mokutil
2. reboot and do the MokManager thing
3. watch the kernel hate the result.
  
Actual results:

cert imported with wrong size in the efi_signature_list structure.

Expected results:

Things work.

Additional info:

I've sent a patch to Peter and Matthew, and a pull request upstream for mokutil to fix this.

Comment 1 Josh Boyer 2012-12-11 18:50:01 UTC

Proposing as F18 Blocker.

Comment 2 Adam Williamson 2012-12-12 18:15:53 UTC

Discussed at 2012-12-12 blocker review meeting: http://meetbot.fedoraproject.org/fedora-bugzappers/2012-12-12/f18final-blocker-review-4.2012-12-12-17.01.log.txt .  Rejected as a blocker on the understanding this only affects generation/installation of personal signatures, not use of the MS key. Accepted as NTH - pjones thinks it could go in as 0-day but isn't 100% sure and thinks it's safer to take it now, and the fix is isolated and only affects SB stuff, can't break anything else.

Comment 3 Fedora Update System 2012-12-13 23:23:33 UTC

shim-0.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/shim-0.2-3.fc18

Comment 4 Fedora Update System 2012-12-14 06:45:26 UTC

Package shim-0.2-3.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shim-0.2-3.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20316/shim-0.2-3.fc18
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2012-12-20 05:27:13 UTC

shim-0.2-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Kamil Páral 2012-12-20 12:33:44 UTC

Josh, can you confirm the issue is fixed with the new build?

Comment 7 Josh Boyer 2012-12-20 12:40:33 UTC

(In reply to comment #6)
> Josh, can you confirm the issue is fixed with the new build?

You mean like the big long comment and +1 karma I left in the update that is linked to in comment #4?

Sure.  It fixes the issue.

Comment 8 Kamil Páral 2012-12-20 13:03:01 UTC

Sorry, I overlooked that. Thanks.

Note You need to log in before you can comment on or make changes to this bug.