Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

shim-15 for CentOS 7.6.1810 - version 2 #45

Closed
arrfab opened this Issue Dec 7, 2018 · 15 comments

Comments

Projects
None yet
4 participants
@arrfab
Copy link

commented Dec 7, 2018

Make sure you have provided the following information:

  • link to your code branch cloned from rhboot/shim-review in the form user/repo@tag
  • completed README.md file with the necessary information
  • shim.efi to be signed
  • public portion of your certificate embedded in shim (the file passed to VENDOR_CERT_FILE)
  • any extra patches to shim via your own git tree or as files
  • any extra patches to grub via your own git tree or as files
  • build logs
What organization or people are asking to have this signed:

Red Hat, Inc.

What product or service is this for:

CentOS Linux 7.6.1810

What is the origin and full version number of your shim?

shim 15

What's the justification that this really does need to be signed for the whole world to be able to boot it:

CentOS Linux is deployed on a high number of nodes already using it in SecureBoot mode enabled

How do you manage and protect the keys used in your SHIM?

Can't discuss this publicly, but hardware HSM is used

Do you use EV certificates as embedded certificates in the SHIM?

no

What is the origin and full version number of your bootloader (GRUB or other)?

grub2 rebuilt from upstream RHEL 7.6 tree, so https://git.centos.org/commit/rpms!grub2.git/28f7f8f0658e20412cba7a6af37539b1e1f567b2

If your SHIM launches any other components, please provide further details on what is launched

nothing else than grub2 and then kernel

How do the launched components prevent execution of unauthenticated code?

Our CI test shows that trying to boot an unsigned kernel isn't working, while a correct pesigned one works

Does your SHIM load any loaders that support loading unsigned kernels (e.g. GRUB)?

NO

What kernel are you using? Which patches does it includes to enforce Secure Boot?

official RHEL 7.6 rebuild kernel.src.rpm

What changes were made since your SHIM was last signed?

new release, so bumped from shim v12 to shim v15

@arrfab

This comment has been minimized.

Copy link
Author

commented Dec 7, 2018

Link to git repo holding artifacts / build instructions : https://github.com/CentOS/shim-review/tree/7.6.1810-2

Reason why we need another rebuild is that on UEFI (non secureboot) machine, there is a critical error forbidding the nodes to boot.
See bug report https://bugs.centos.org/view.php?id=15522
This build embeds the patch from rhboot/shim#157

This build (as seen in the report above) was validated by multiple people, confirming that their nodes could then boot again (uefi, non secureboot).

Internal CI job tested it too : https://ci.centos.org/job/CentOS_7_SecureBoot_validation_SelfSigned/20/console

@arrfab

This comment has been minimized.

Copy link
Author

commented Dec 16, 2018

@vathpela not willing to harass you, but any ETA on when this can be reviewed and submitted ? More people are asking for that either through the reported bug tracker or irc.
Thanks :-)

@justinclift

This comment has been minimized.

Copy link

commented Dec 20, 2018

@vathpela Ping. 😄

@arrfab

through the reported bug tracker or irc

Me too now. Picked up an x3650 M3 for doing dev/test work on locally, and it's affected by this. The manual workaround mentioned in the CentOS bug report does the job, but getting things "properly" fixed would be better.

I'm ok to test stuff if that's useful too. 😄

@cyphermox

This comment has been minimized.

Copy link
Collaborator

commented Jan 10, 2019

Ok; reviewing this today. Sorry I couldn't get to it sooner.

@cyphermox cyphermox self-assigned this Jan 10, 2019

@cyphermox

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

I think your shim-review tree has some issues. It's missing the 0002-MokListRT-Fatal.patch; but is it possible the shimx64.efi file there is also not the right one? I can't succesfully rebuilt the binary and get a close enough result to approve for signing.

@cyphermox cyphermox added the question label Jan 11, 2019

@arrfab

This comment has been minimized.

Copy link
Author

commented Jan 11, 2019

Ouch, sorry :-(
It was applied in our buildsystem (and also that can be seen in the root.log and build.log) and then copied in that git branch, but while I modified (and tested) that it worked, I forgot to "git add" the patch itself ... Now done . sorry

@arrfab

This comment has been minimized.

Copy link
Author

commented Jan 11, 2019

https://github.com/CentOS/shim-review/blob/7.6.1810-2/0002-MokListRT-Fatal.patch is now there.
I also confirm that the shimx64.efi (sha256sum 47391a4b25918b7f414420d8f651e302b287a96e0747019d76f705fbf361974e) is the correct one that was built with that patch and also the one tested by other people (see the centos bug report)

@justinclift

This comment has been minimized.

Copy link

commented Jan 11, 2019

@arrfab If there's an updated <whatever> that needs testing, let me know. 😄

@cyphermox

This comment has been minimized.

Copy link
Collaborator

commented Jan 11, 2019

I try rebuilds with a slightly modified version of the Dockerfile, so as to be able to directly compare the shimx64.efi binary you provide with the one that gets built:

FROM docker.io/centos@sha256:b67d21dfe609ddacf404589e04631d90a342921e81c40aeaf3391f6717fa5322
  
COPY shimx64.efi /
COPY centos-7.6.1810-shim-build-deps.repo /etc/yum.repos.d/
RUN yum update -y
RUN yum install -y gcc gnu-efi gnu-efi-devel make redhat-rpm-config-9.1.0-80.el7 rpm-build yum-utils wget
RUN mkdir -p /build/builddir/{SPECS,SOURCES}
COPY shim.spec /build/builddir/SPECS/
RUN yum-builddep -y /build/builddir/SPECS/shim.spec
COPY rpmmacros /root/.rpmmacros
COPY centos.esl /build/builddir/SOURCES/
COPY 0001-Add-vendor-esl.patch /build/builddir/SOURCES/
COPY 0002-MokListRT-Fatal.patch /build/builddir/SOURCES/
COPY shim-find-debuginfo.sh /build/builddir/SOURCES/shim-find-debuginfo.sh
WORKDIR /build
RUN wget https://github.com/rhboot/shim/releases/download/15/shim-15.tar.bz2 -O /build/builddir/SOURCES/shim-15.tar.bz2
RUN rpmbuild -ba --define 'dist .el7.centos' /build/builddir/SPECS/shim.spec --noclean
RUN sha256sum /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi
RUN hexdump -Cv /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi > /built.hex
RUN hexdump -Cv /shimx64.efi > /orig.hex
RUN diff -u /orig.hex /built.hex || true
RUN objdump -x /shimx64.efi | head -n 60
RUN objdump -x /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi | head -n 60

I can't get the binaries to match; there's a large number of changes possibly due to how the relocation table is being built, and some parts appear to be OpenSSL code. Do you get similar results when using the Dockerfile? https://paste.ubuntu.com/p/vmF7h8gxZ4/

@arrfab

This comment has been minimized.

Copy link
Author

commented Jan 12, 2019

I just rebuilt first it with a modified Dockerfile , but without having updated the container (still on disk), so haven't touched intermediate layers :

Step 17/22 : COPY shimx64.efi /
---> 33ce8d65468d
Removing intermediate container cd1598f95770
Step 18/22 : RUN hexdump -Cv /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi > /built.hex
---> Running in 1a189bfa2d8a

---> 48518a879cdf
Removing intermediate container 1a189bfa2d8a
Step 19/22 : RUN hexdump -Cv /shimx64.efi > /orig.hex
---> Running in 05877d4c1b85

---> 1dca44e97354
Removing intermediate container 05877d4c1b85
Step 20/22 : RUN diff -u /orig.hex /built.hex || true
---> Running in 71735c8fbbf6

--- /orig.hex 2019-01-12 16:16:24.000000000 +0000
+++ /built.hex 2019-01-12 16:16:22.000000000 +0000
@@ -11,7 +11,7 @@
000000a0 00 d2 06 00 00 00 00 00 00 e0 01 00 00 e0 01 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-000000d0 00 f0 10 00 00 04 00 00 33 11 13 00 0a 00 00 00 |........3.......|
+000000d0 00 f0 10 00 00 04 00 00 36 8d 12 00 0a 00 00 00 |........6.......|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -45091,9 +45091,9 @@
000b0220 61 63 68 69 6e 65 3a 20 4c 69 6e 75 78 20 78 38 |achine: Linux x8|
000b0230 36 5f 36 34 20 78 38 36 5f 36 34 20 78 38 36 5f |6_64 x86_64 x86_|
000b0240 36 34 20 47 4e 55 2f 4c 69 6e 75 78 20 24 0a 24 |64 GNU/Linux $.$|
-000b0250 43 6f 6d 6d 69 74 3a 20 32 38 39 38 62 31 64 36 |Commit: 2898b1d6|
-000b0260 65 30 65 32 34 36 31 31 66 33 62 31 63 38 62 63 |e0e24611f3b1c8bc|
-000b0270 61 35 31 37 33 37 66 35 66 61 38 62 39 35 39 31 |a51737f5fa8b9591|
+000b0250 43 6f 6d 6d 69 74 3a 20 64 61 62 30 62 65 35 62 |Commit: dab0be5b|
+000b0260 37 61 38 66 62 34 34 66 31 63 39 31 62 30 61 33 |7a8fb44f1c91b0a3|
+000b0270 64 36 63 37 36 63 66 37 63 64 39 65 36 36 65 66 |d6c76cf7cd9e66ef|
000b0280 20 24 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 | $..............|
000b0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000b02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
---> 4229e39eefab
Removing intermediate container 71735c8fbbf6
Step 21/22 : RUN objdump -x /shimx64.efi | head -n 60
---> Running in 14f0ac0d79da

/shimx64.efi: file format pei-x86-64
/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 00131133
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> 8314c5fe1b73
Removing intermediate container 14f0ac0d79da
Step 22/22 : RUN objdump -x /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi | head -n 60
---> Running in 3b2801a95032

/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi: file format pei-x86-64
/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 00128d36
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> 69a7433152ac
Removing intermediate container 3b2801a95032
Successfully built 69a7433152ac

@arrfab

This comment has been minimized.

Copy link
Author

commented Jan 12, 2019

I then verified the openssl version used for our initial build : https://github.com/CentOS/shim-review/blob/7.6.1810-2/root.log#L656 and then compared with a new build with modified Dockerfile (so touching based container again, and then plenty of updates) but nothing changed it seems :

--> 1:openssl-devel-1.0.2k-16.el7.x86_64
--> 1:openssl-1.0.2k-16.el7.x86_64

Wrote: /build/builddir/RPMS/noarch/shim-unsigned-ia32-debuginfo-15-2.el7.centos.noarch.rpm
---> cfdd955aa4bb
Removing intermediate container fba80721ba4e
Step 17/22 : RUN sha256sum /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/-15-2.el7.centos/shim.efi
---> Running in 7bcacd648e36

2e62b1582567c38bc53c075b3ecb547ecdf218b431db9e20efa551d00db7e2d7 /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/ia32-15-2.el7.centos/shimia32.efi
f81ef6ea5451424378e779b584dd24da4580f266b90f8f1744d24a917df849c4 /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi
---> 393e6da8b305
Removing intermediate container 7bcacd648e36
Step 18/22 : RUN hexdump -Cv /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi > /built.hex
---> Running in 08b8acc8f147

---> e65e83a7f6a5
Removing intermediate container 08b8acc8f147
Step 19/22 : RUN hexdump -Cv /shimx64.efi > /orig.hex
---> Running in ac4be747e66f

---> cb2f2b92a99d
Removing intermediate container ac4be747e66f
Step 20/22 : RUN diff -u /orig.hex /built.hex || true
---> Running in c7fae3866288

--- /orig.hex 2019-01-12 16:26:37.000000000 +0000
+++ /built.hex 2019-01-12 16:26:36.000000000 +0000
@@ -11,7 +11,7 @@
000000a0 00 d2 06 00 00 00 00 00 00 e0 01 00 00 e0 01 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-000000d0 00 f0 10 00 00 04 00 00 33 11 13 00 0a 00 00 00 |........3.......|
+000000d0 00 f0 10 00 00 04 00 00 a1 db 12 00 0a 00 00 00 |................|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -45091,9 +45091,9 @@
000b0220 61 63 68 69 6e 65 3a 20 4c 69 6e 75 78 20 78 38 |achine: Linux x8|
000b0230 36 5f 36 34 20 78 38 36 5f 36 34 20 78 38 36 5f |6_64 x86_64 x86_|
000b0240 36 34 20 47 4e 55 2f 4c 69 6e 75 78 20 24 0a 24 |64 GNU/Linux $.$|
-000b0250 43 6f 6d 6d 69 74 3a 20 32 38 39 38 62 31 64 36 |Commit: 2898b1d6|
-000b0260 65 30 65 32 34 36 31 31 66 33 62 31 63 38 62 63 |e0e24611f3b1c8bc|
-000b0270 61 35 31 37 33 37 66 35 66 61 38 62 39 35 39 31 |a51737f5fa8b9591|
+000b0250 43 6f 6d 6d 69 74 3a 20 65 38 66 35 61 65 37 33 |Commit: e8f5ae73|
+000b0260 62 61 31 66 37 31 64 66 37 36 66 63 31 37 62 33 |ba1f71df76fc17b3|
+000b0270 37 66 62 65 36 39 36 37 33 30 30 30 35 32 37 38 |7fbe696730005278|
000b0280 20 24 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 | $..............|
000b0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000b02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
---> c90d3487d653
Removing intermediate container c7fae3866288
Step 21/22 : RUN objdump -x /shimx64.efi | head -n 60
---> Running in be2b2845d2b3

/shimx64.efi: file format pei-x86-64
/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 00131133
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> 1af957f3f3f0
Removing intermediate container be2b2845d2b3
Step 22/22 : RUN objdump -x /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi | head -n 60
---> Running in d4091fc6fd36

/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi: file format pei-x86-64
/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 0012dba1
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> baaa8eba286b
Removing intermediate container d4091fc6fd36
Successfully built baaa8eba286b

real 7m33.259s

@gerdesas

This comment has been minimized.

Copy link

commented Jan 14, 2019

In our QA channel it was suggested that we try the build process and post our results:

As per request here is the output from steps 17 through through the end of the process.

Step 17/22 : COPY shimx64.efi /
---> 5db5c7c803a8
Removing intermediate container fae523a877fe
Step 18/22 : RUN hexdump -Cv /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi > /built.hex
---> Running in 868ea3efe463

[91m[0m ---> 98be3e23a625
Removing intermediate container 868ea3efe463
Step 19/22 : RUN hexdump -Cv /shimx64.efi > /orig.hex
---> Running in ae26b2ce863a

[91m[0m ---> 7a4f12f0b15a
Removing intermediate container ae26b2ce863a
Step 20/22 : RUN diff -u /orig.hex /built.hex || true
---> Running in 62ea22f9dea7

[91m[0m--- /orig.hex 2019-01-13 13:21:23.000000000 +0000
+++ /built.hex 2019-01-13 13:21:22.000000000 +0000
@@ -11,7 +11,7 @@
000000a0 00 d2 06 00 00 00 00 00 00 e0 01 00 00 e0 01 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-000000d0 00 f0 10 00 00 04 00 00 33 11 13 00 0a 00 00 00 |........3.......|
+000000d0 00 f0 10 00 00 04 00 00 0d 27 13 00 0a 00 00 00 |.........'......|
000000e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000100 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -45091,9 +45091,9 @@
000b0220 61 63 68 69 6e 65 3a 20 4c 69 6e 75 78 20 78 38 |achine: Linux x8|
000b0230 36 5f 36 34 20 78 38 36 5f 36 34 20 78 38 36 5f |6_64 x86_64 x86_|
000b0240 36 34 20 47 4e 55 2f 4c 69 6e 75 78 20 24 0a 24 |64 GNU/Linux $.$|
-000b0250 43 6f 6d 6d 69 74 3a 20 32 38 39 38 62 31 64 36 |Commit: 2898b1d6|
-000b0260 65 30 65 32 34 36 31 31 66 33 62 31 63 38 62 63 |e0e24611f3b1c8bc|
-000b0270 61 35 31 37 33 37 66 35 66 61 38 62 39 35 39 31 |a51737f5fa8b9591|
+000b0250 43 6f 6d 6d 69 74 3a 20 33 38 61 32 33 31 33 65 |Commit: 38a2313e|
+000b0260 31 64 33 31 34 65 61 63 37 31 33 31 39 62 38 33 |1d314eac71319b83|
+000b0270 38 38 66 62 39 64 31 36 62 33 33 66 31 34 65 62 |88fb9d16b33f14eb|
000b0280 20 24 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 | $..............|
000b0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000b02a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
---> 755cd309368c
Removing intermediate container 62ea22f9dea7
Step 21/22 : RUN objdump -x /shimx64.efi | head -n 60
---> Running in 23e768fe52d3

[91m[0m
/shimx64.efi: file format pei-x86-64
/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 00131133
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> af5859db0722
Removing intermediate container 23e768fe52d3
Step 22/22 : RUN objdump -x /build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi | head -n 60
---> Running in 77b26c024bce

[91m[0m
/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi: file format pei-x86-64
/build/builddir/BUILDROOT/shim-15-2.el7.centos.x86_64/usr/share/shim/x64-15-2.el7.centos/shimx64.efi
architecture: i386:x86-64, flags 0x00000133:
HAS_RELOC, EXEC_P, HAS_SYMS, HAS_LOCALS, D_PAGED
start address 0x000000000001e000

Characteristics 0x206
executable
line numbers stripped
debugging information removed

Time/Date Sat Jan 10 21:01:04 1970
Magic 020b (PE32+)
MajorLinkerVersion 2
MinorLinkerVersion 27
SizeOfCode 00096e00
SizeOfInitializedData 0006d200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000001e000
BaseOfCode 000000000001e000
ImageBase 0000000000000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 0
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 0
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0010f000
SizeOfHeaders 00000400
CheckSum 0013270d
Subsystem 0000000a (EFI application)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000000000
SizeOfStackCommit 0000000000000000
SizeOfHeapReserve 0000000000000000
SizeOfHeapCommit 0000000000000000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 00000000000b5000 0000000a Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved
---> 3ba2ca418e60
Removing intermediate container 77b26c024bce
Successfully built 3ba2ca418e60

real 6m4.971s
user 0m0.173s
sys 0m0.136s

@cyphermox

This comment has been minimized.

Copy link
Collaborator

commented Feb 6, 2019

Ok, after clearing all containers and images and pulling from the repo again, I finally got a binary that was good:

Step 21/23 : RUN diff -u /orig.hex /built.hex || true
 ---> Running in b11c529ff178
--- /orig.hex	2019-02-06 20:59:42.000000000 +0000
+++ /built.hex	2019-02-06 20:59:38.000000000 +0000
@@ -11,7 +11,7 @@
 000000a0  00 d2 06 00 00 00 00 00  00 e0 01 00 00 e0 01 00  |................|
 000000b0  00 00 00 00 00 00 00 00  00 10 00 00 00 02 00 00  |................|
 000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-000000d0  00 f0 10 00 00 04 00 00  33 11 13 00 0a 00 00 00  |........3.......|
+000000d0  00 f0 10 00 00 04 00 00  f9 14 13 00 0a 00 00 00  |................|
 000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000100  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -45091,9 +45091,9 @@
 000b0220  61 63 68 69 6e 65 3a 20  4c 69 6e 75 78 20 78 38  |achine: Linux x8|
 000b0230  36 5f 36 34 20 78 38 36  5f 36 34 20 78 38 36 5f  |6_64 x86_64 x86_|
 000b0240  36 34 20 47 4e 55 2f 4c  69 6e 75 78 20 24 0a 24  |64 GNU/Linux $.$|
-000b0250  43 6f 6d 6d 69 74 3a 20  32 38 39 38 62 31 64 36  |Commit: 2898b1d6|
-000b0260  65 30 65 32 34 36 31 31  66 33 62 31 63 38 62 63  |e0e24611f3b1c8bc|
-000b0270  61 35 31 37 33 37 66 35  66 61 38 62 39 35 39 31  |a51737f5fa8b9591|
+000b0250  43 6f 6d 6d 69 74 3a 20  66 66 34 63 62 38 39 37  |Commit: ff4cb897|
+000b0260  36 66 36 38 34 39 61 33  32 65 31 32 37 66 61 37  |6f6849a32e127fa7|
+000b0270  62 33 63 37 64 35 38 62  66 66 61 66 30 30 64 31  |b3c7d58bffaf00d1|
 000b0280  20 24 0a 00 00 00 00 00  00 00 00 00 00 00 00 00  | $..............|
 000b0290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 000b02a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
Removing intermediate container b11c529ff178

I find this shim acceptable for signing:

$ sha256sum shimx64.efi 
47391a4b25918b7f414420d8f651e302b287a96e0747019d76f705fbf361974e  shimx64.efi

@cyphermox cyphermox added accepted and removed question labels Feb 6, 2019

@arrfab

This comment has been minimized.

Copy link
Author

commented Feb 12, 2019

Hi guys, can we get a status update on this one please ? (as I see it was tagged as "accepted" 5 days ago) .
Thanks !

@arrfab

This comment has been minimized.

Copy link
Author

commented Feb 26, 2019

Just to comment in this ticket (in case people were following here and not tracking our original bug (https://bugs.centos.org/view.php?id=15522) that the correct packages were now built/signed/pushed to updates repo :

  • mokutil.x86_64 15-2.el7.centos updates
  • shim-ia32.x86_64 15-2.el7.centos updates
  • shim-unsigned-ia32.x86_64 15-2.el7.centos updates
  • shim-unsigned-x64.x86_64 15-2.el7.centos updates
  • shim-x64.x86_64 15-2.el7.centos updates

Thanks

@arrfab arrfab closed this Feb 26, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.