-
Bug
-
Resolution: Done-Errata
-
Critical
-
rhel-7.9.z
-
shim-15.8-1.el7
-
Yes
-
Critical
-
rhel-sst-cs-bootloaders
-
ssg_display
-
13
-
False
-
-
None
-
None
-
If docs needed, set a value
-
-
x86_64
-
None
Description of problem:
Booting BOOTX64.EFI fails after it prints "Verification failed: Security Policy Violation".
Verbose mode shows this happens due to some "self signed certificate in certificate chain":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
shim.c:866:load_image() attempting to load \EFI\BOOT\fbx64.efi^M
shim.c:737:verify_buffer_sbat() sbat section base:0x7CCED418 size:0x200^M
pe.c:868:verify_sbat_section() SBAT section data^M
pe.c:876:verify_sbat_section() sbat, 1, SBAT Version, sbat, 1, https://github.com/rhboot/shim/blob/main/SBAT.md^M
pe.c:876:verify_sbat_section() shim, 2, UEFI shim, shim, 1, https://github.com/rhboot/shim^M
sbat.c:126:verify_single_entry() component sbat has a matching SBAT variable entry, verifying^M
sbat.c:191:verify_sbat_helper() finished verifying SBAT data: Success^M
pe.c:571:generate_hash() sha1 authenticode hash:^M
pe.c:572:generate_hash() 00000000 XX XX XX XX XX XX XX XX XX XX XX XX 56 b0 81 0d XXXXXXXXXXXX|V...|^M
pe.c:572:generate_hash() 00000004 3a 19 2f 84 29 f8 97 69 91 11 23 84 ed d6 8e a3 |:./.)..i..#.....|^M
pe.c:573:generate_hash() sha256 authenticode hash:^M
pe.c:574:generate_hash() 00000000 7a b6 3b 1a f6 ae a2 5c 99 6a 38 8e fa d8 aa fb |z.;....\.j8.....|^M
pe.c:574:generate_hash() 00000010 3f 09 72 e8 90 17 97 7d 8e 72 7d 6b 94 ff 05 c6 |?.r....}.r}k....|^M
shim.c:611:verify_buffer_authenticode() check_allowlist: Not Found^M
shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (vendor_db)^M
shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)^M
shim.c:687:verify_buffer_authenticode() Binary is not authorized^M
shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
shim.c:610 verify_buffer_authenticode() check_allowlist(): Not Found^M^M
shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M
shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:370 check_allowlist() check_db_cert(db, sha256hash) != DATA_FOUND^M^M
shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:395 check_allowlist() check_db_cert(vendor_db, sha256hash) != DATA_FOUND^M^M
shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M
shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M
shim.c:414 check_allowlist() check_db_cert(MokListRT, sha256hash) != DATA_FOUND^M^M
SSL Error: shim.c:691 verify_buffer_authenticode(): Security Policy Violation^M
2092850320:error:21075075:lib(33):func(117):reason(117):NA:0:Verify error:self signed certificate in certificate chain^M
Verification failed: Security Policy Violation^M
Failed to load image: Security Policy Violation^M
shim.c:1169 start_image() Failed to load image: Security Policy Violation^M^M
shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi^M
Failed to open \EFI\BOOT\mmx64.efi - Not Found^M
Failed to load image ??: Not Found^M
shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found^M^M
shim.c:1116 read_image() Failed to load image ??: Not Found^M^M
start_image() returned Not Found^M
BdsDxe: No bootable option or device was found.^M
BdsDxe: Press any key to enter the Boot Manager Menu.^M
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
This prevents executing Recovery Code, causing system to be unbootable if firmware was cleared somehow (e.g. "efibootmgr -O" executed).
Additionally this prevents some VMWare systems to boot without user interaction (need to "OK" multiple times until "Red Hat Enterprise Linux gets selected):
issue still under investigation by VMWare, seems to affect "VMware ESXi, 7.0.3, 21313628".
Version-Release number of selected component (if applicable):
shim-x64-15.6-3.el7_9.x86_64
How reproducible:
Always
Steps to Reproduce:
1. Boot a UEFI RHEL7 system in Secure Boot
2. Clear the EFI entries
- efibootmgr -O
3. Reboot
Actual results:
Security Violation
Expected results:
No violation and "Red Hat Enterprise Linux" entry recreated