This is filed LP: #1986692
I'm signing an EFI application with snakeoil keys provided by the OVMF package and attempting to run that application in secureboot mode.
This works with files from focal (0~20191122.bd85bf54-2ubuntu3.3) but does not work with files from jammy (2022.02-3).
The OVFM UEFI environment refuses to boot the signed EFI, complaining:
Command Error Status: Access Denied
To demonstrate the following tarballs are created with 'collect-ovmf' script (use them as-is, run it yourself, or get the files yourself):
ovmf-focal.tar.gz
ovmf-jammy.tar.gz
The content are files just copied from the packages, with some symlinks for ease/consistency of use.
The application I'm trying to sign is HelloWorld.efi provided by jammy's efitools package (version 1.9.2-1ubuntu3).
Extract the ovmf files that were created with collect-ovmf:
$ tar -xvf ovmf-focal.tar.gz
$ tar -xvf ovmf-jammy.tar.gz
Or if you want, run 'collect-ovmf' yourself on a focal and jammy system and then put the results here.
Sign the efi application using sbtools with the 'signing-nopassphrase.key' file. That file is just the PkKek-1-snakeoil.key file with the passphrase removed.
$ mkdir -p esp-$rel
$ for rel in focal jammy; do
d=esp-$rel
mkdir -p $d &&
sbsign --key=ovmf-$rel/signing-nopassphrase.key \
--cert=ovmf-$rel/signing.pem \
--output=$d/hello-signed.efi HelloWorld.efi &&
sbverify --list $d/hello-signed.efi ||
break; done
gen-esp is just a wrapper around the mtools command mcopy. I find mcopy and mtools terribly difficult to use.
$ for rel in focal jammy; do
rm -f esp-$rel.img &&
./gen-esp create esp-$rel.img \
esp-$rel/hello-signed.efi:hello-signed.efi || break ; done
The 'boot-vm' script just does:
- copy the ovmf files to a temp dir
- invokes qemu with arguments to get a working secureboot uefi.
Boot with focal ovmf files using:
$ ./boot-vm ovmf-focal esp-focal.img
Boot with jammy ovmf files using:
$ ./boot-vm ovmf-jammy esp-jammy.img
You'll be presented with a UEFI shell, there type:
fs0:
cd efi/boot
You can see that you're running SecureBoot by typing:
setvar SecureBoot
8BE4DF61-93CA-11D2-AA0D-00E098032B8C - SecureBoot - 0001 Bytes
Try to execute the hello-signed.efi application:
hello-signed.efi
With focal ovmf files you'll see a menu application. With jammy ovmf files, you'll see an error:
Command Error Status: Access Denied