Source: grub2 Version: 2.02+dfsg1-16 Severity: serious Tags: security In discussion with upstream EFI and arm64 folks, it's become clear that in SB mode we should also be disabling the devicetree command in Secure Boot mode. I'm testing a patch right now, coming shortly.
-- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled