Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4382

Executing BOOTX64.EFI fails after printing "Verification failed: Security Policy Violation"

    • shim-15.8-1.el7
    • Yes
    • Critical
    • rhel-sst-cs-bootloaders
    • ssg_display
    • 13
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      Booting BOOTX64.EFI fails after it prints "Verification failed: Security Policy Violation".
      Verbose mode shows this happens due to some "self signed certificate in certificate chain":
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      shim.c:866:load_image() attempting to load \EFI\BOOT\fbx64.efi^M
      shim.c:737:verify_buffer_sbat() sbat section base:0x7CCED418 size:0x200^M
      pe.c:868:verify_sbat_section() SBAT section data^M
      pe.c:876:verify_sbat_section() sbat, 1, SBAT Version, sbat, 1, https://github.com/rhboot/shim/blob/main/SBAT.md^M
      pe.c:876:verify_sbat_section() shim, 2, UEFI shim, shim, 1, https://github.com/rhboot/shim^M
      sbat.c:126:verify_single_entry() component sbat has a matching SBAT variable entry, verifying^M
      sbat.c:191:verify_sbat_helper() finished verifying SBAT data: Success^M
      pe.c:571:generate_hash() sha1 authenticode hash:^M
      pe.c:572:generate_hash() 00000000 XX XX XX XX XX XX XX XX XX XX XX XX 56 b0 81 0d XXXXXXXXXXXX|V...|^M
      pe.c:572:generate_hash() 00000004 3a 19 2f 84 29 f8 97 69 91 11 23 84 ed d6 8e a3 |:./.)..i..#.....|^M
      pe.c:573:generate_hash() sha256 authenticode hash:^M
      pe.c:574:generate_hash() 00000000 7a b6 3b 1a f6 ae a2 5c 99 6a 38 8e fa d8 aa fb |z.;....\.j8.....|^M
      pe.c:574:generate_hash() 00000010 3f 09 72 e8 90 17 97 7d 8e 72 7d 6b 94 ff 05 c6 |?.r....}.r}k....|^M
      shim.c:611:verify_buffer_authenticode() check_allowlist: Not Found^M
      shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:^M
      shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)^M
      shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)^M
      shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (vendor_db)^M
      shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)^M
      shim.c:687:verify_buffer_authenticode() Binary is not authorized^M
      shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
      shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
      shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
      shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
      shim.c:610 verify_buffer_authenticode() check_allowlist(): Not Found^M^M
      shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
      shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
      shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
      shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
      shim.c:370 check_allowlist() check_db_cert(db, sha256hash) != DATA_FOUND^M^M
      shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
      shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
      shim.c:395 check_allowlist() check_db_cert(vendor_db, sha256hash) != DATA_FOUND^M^M
      shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
      shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
      shim.c:414 check_allowlist() check_db_cert(MokListRT, sha256hash) != DATA_FOUND^M^M
      SSL Error: shim.c:691 verify_buffer_authenticode(): Security Policy Violation^M
      2092850320:error:21075075:lib(33):func(117):reason(117):NA:0:Verify error:self signed certificate in certificate chain^M
      Verification failed: Security Policy Violation^M
      Failed to load image: Security Policy Violation^M
      shim.c:1169 start_image() Failed to load image: Security Policy Violation^M^M
      shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi^M
      Failed to open \EFI\BOOT\mmx64.efi - Not Found^M
      Failed to load image ??: Not Found^M
      shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found^M^M
      shim.c:1116 read_image() Failed to load image ??: Not Found^M^M
      start_image() returned Not Found^M
      BdsDxe: No bootable option or device was found.^M
      BdsDxe: Press any key to enter the Boot Manager Menu.^M
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      This prevents executing Recovery Code, causing system to be unbootable if firmware was cleared somehow (e.g. "efibootmgr -O" executed).

      Additionally this prevents some VMWare systems to boot without user interaction (need to "OK" multiple times until "Red Hat Enterprise Linux gets selected):
      issue still under investigation by VMWare, seems to affect "VMware ESXi, 7.0.3, 21313628".

      Version-Release number of selected component (if applicable):

      shim-x64-15.6-3.el7_9.x86_64

      How reproducible:

      Always

      Steps to Reproduce:
      1. Boot a UEFI RHEL7 system in Secure Boot
      2. Clear the EFI entries

      1. efibootmgr -O

      3. Reboot

      Actual results:

      Security Violation

      Expected results:

      No violation and "Red Hat Enterprise Linux" entry recreated

              bootloader-eng-team bootloader -eng-team
              rhn-support-rmetrich Renaud Métrich
              bootloader -eng-team bootloader -eng-team
              Release Test Team Release Test Team
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated:
                Resolved: