Issue

Description of problem: Booting BOOTX64.EFI fails after it prints "Verification failed: Security Policy Violation". Verbose mode shows this happens due to some "self signed certificate in certificate chain": -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- shim.c:866:load_image() attempting to load \EFI\BOOT\fbx64.efi^M shim.c:737:verify_buffer_sbat() sbat section base:0x7CCED418 size:0x200^M pe.c:868:verify_sbat_section() SBAT section data^M pe.c:876:verify_sbat_section() sbat, 1, SBAT Version, sbat, 1, https://github.com/rhboot/shim/blob/main/SBAT.md^M pe.c:876:verify_sbat_section() shim, 2, UEFI shim, shim, 1, https://github.com/rhboot/shim^M sbat.c:126:verify_single_entry() component sbat has a matching SBAT variable entry, verifying^M sbat.c:191:verify_sbat_helper() finished verifying SBAT data: Success^M pe.c:571:generate_hash() sha1 authenticode hash:^M pe.c:572:generate_hash() 00000000 XX XX XX XX XX XX XX XX XX XX XX XX 56 b0 81 0d XXXXXXXXXXXX|V...|^M pe.c:572:generate_hash() 00000004 3a 19 2f 84 29 f8 97 69 91 11 23 84 ed d6 8e a3 |:./.)..i..#.....|^M pe.c:573:generate_hash() sha256 authenticode hash:^M pe.c:574:generate_hash() 00000000 7a b6 3b 1a f6 ae a2 5c 99 6a 38 8e fa d8 aa fb |z.;....\.j8.....|^M pe.c:574:generate_hash() 00000010 3f 09 72 e8 90 17 97 7d 8e 72 7d 6b 94 ff 05 c6 |?.r....}.r}k....|^M shim.c:611:verify_buffer_authenticode() check_allowlist: Not Found^M shim.c:665:verify_buffer_authenticode() Attempting to verify signature 0:^M shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (db)^M shim.c:154:check_db_cert_in_ram() trying to verify cert 1 (db)^M shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (vendor_db)^M shim.c:154:check_db_cert_in_ram() trying to verify cert 0 (MokListRT)^M shim.c:687:verify_buffer_authenticode() Binary is not authorized^M shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M shim.c:610 verify_buffer_authenticode() check_allowlist(): Not Found^M^M shim.c:354 check_allowlist() check_db_hash(db, sha256hash) != DATA_FOUND^M^M shim.c:362 check_allowlist() check_db_hash(db, sha1hash) != DATA_FOUND^M^M shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M shim.c:370 check_allowlist() check_db_cert(db, sha256hash) != DATA_FOUND^M^M shim.c:385 check_allowlist() check_db_hash(vendor_db, sha256hash) != DATA_FOUND^M^M shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M shim.c:395 check_allowlist() check_db_cert(vendor_db, sha256hash) != DATA_FOUND^M^M shim.c:406 check_allowlist() check_db_hash(MokListRT, sha256hash) != DATA_FOUND^M^M shim.c:169 check_db_cert_in_ram() AuthenticodeVerify(): 0^M^M shim.c:414 check_allowlist() check_db_cert(MokListRT, sha256hash) != DATA_FOUND^M^M SSL Error: shim.c:691 verify_buffer_authenticode(): Security Policy Violation^M 2092850320:error:21075075:lib(33):func(117):reason(117):NA:0:Verify error:self signed certificate in certificate chain^M Verification failed: Security Policy Violation^M Failed to load image: Security Policy Violation^M shim.c:1169 start_image() Failed to load image: Security Policy Violation^M^M shim.c:866:load_image() attempting to load \EFI\BOOT\mmx64.efi^M Failed to open \EFI\BOOT\mmx64.efi - Not Found^M Failed to load image ??: Not Found^M shim.c:888 load_image() Failed to open \EFI\BOOT\mmx64.efi - Not Found^M^M shim.c:1116 read_image() Failed to load image ??: Not Found^M^M start_image() returned Not Found^M BdsDxe: No bootable option or device was found.^M BdsDxe: Press any key to enter the Boot Manager Menu.^M -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- This prevents executing Recovery Code, causing system to be unbootable if firmware was cleared somehow (e.g. "efibootmgr -O" executed). Additionally this prevents some VMWare systems to boot without user interaction (need to "OK" multiple times until "Red Hat Enterprise Linux gets selected): issue still under investigation by VMWare, seems to affect "VMware ESXi, 7.0.3, 21313628". Version-Release number of selected component (if applicable): shim-x64-15.6-3.el7_9.x86_64 How reproducible: Always Steps to Reproduce: 1. Boot a UEFI RHEL7 system in Secure Boot 2. Clear the EFI entries efibootmgr -O 3. Reboot Actual results: Security Violation Expected results: No violation and "Red Hat Enterprise Linux" entry recreated

Release Notes

No. of Comments

Resolution

Done-Errata