[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hi Steve, Can I confirm that the new grub2-signed (i.e. grub-efi-amd64-signed deb) is able to enforce Secure Boot signature verification? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hi Steve and Mathieu, Can I confirm that the new grub2-signed (i.e. grub-efi-amd64-signed deb) is able to enforce Secure Boot signature verification? and does it mean the xenial kernel is signed now? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Released in grub2-signed (1.66.26). ** Changed in: grub2-signed (Ubuntu Xenial) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.26 --- grub2 (2.02~beta2-36ubuntu3.26) xenial; urgency=medium [ Chris Coulson ] * SECURITY UPDATE: Heap buffer overflow when encountering commands that cannot be tokenized to less than 8192 characters. - 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make fatal lexer errors actually be fatal - CVE-2020-10713 * SECURITY UPDATE: Multiple integer overflow bugs that could result in heap buffer allocations that were too small and subsequent heap buffer overflows when handling certain filesystems, font files or PNG images. - 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add arithmetic primitives that allow for overflows to be detected - 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch: Make sure that there is always an overflow checking implementation of calloc() available - 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where appropriate - 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use overflow-safe arithmetic primitives when performing allocations based on the results of operations that might overflow - 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in hfsplus - 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix more potential integer overflows in lvm - CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 * SECURITY UPDATE: Use-after-free when executing a command that causes a currently executing function to be redefined. - 0092-script-Remove-unused-fields-from-grub_script_functio.patch: Remove unused fields from grub_script_function - 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch: Avoid a use-after-free when redefining a function during execution - CVE-2020-15706 * SECURITY UPDATE: Integer overflows that could result in heap buffer allocations that were too small and subsequent heap buffer overflows during initrd loading. - 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix integer overflows in initrd size handling - 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix integer overflows in linuxefi grub_cmd_initrd - CVE-2020-15707 * Various fixes as a result of code review and static analysis: - 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a memory leak on realloc failures when processing symbolic links - 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a memory leak when processing font files with more than one NAME section - 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap after it is freed in order to avoid a potential double free later on - 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an out-of-bounds read in LzmaEncode - 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use priority queues and fix a double free - 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix various arithmetic errors with malformed device paths - 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix a NULL deref in the chainloader command introduced by a previous patch - 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch: Avoid a double free in the chainloader command when validation fails - 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch: Protect grub_relocator_alloc_chunk_addr input arguments against integer overflow / underflow - 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch: Protect grub_relocator_alloc_chunk_align max_addr argument against integer underflow - 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix grub_relocator_alloc_chunk_align top memory allocation - 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch: Avoid overflow on initrd size calculation * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled and kernel signature verification fails, do not boot the kernel. Patch from Linn Crosetto. (LP: #1401532) * ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch: - Make the linux command in EFI grub always try EFI handover [ Dimitri John Ledkov ] * SECURITY UPDATE: Grub does not enforce kernel signature validation when the shim protocol isn't present. - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch: Fail kernel validation if the shim protocol isn't available - CVE-2020-15705 -- Chris Coulson Mon, 20 Jul 2020 21:28:33 +0100 ** Changed in: grub2 (Ubuntu Xenial) Status: In Progress => Fix Released ** CVE added: https:
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
The last comment from Mathieu is still the current status. We have not toggled signature enforcement for xenial yet because we have a Canonical-supported kernel, linux-fips, which is published for xenial and there is not yet a version of this kernel which is both FIPS- certified and EFI signed. The process of certifying a new kernel takes some time and depends on external entities. We are currently still in a holding pattern waiting for that external certification to be completed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
For Xenial we're currently blocked on some kernel work that needs to happen before we enable enforcement for that release in grub2. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2-signed - 1.34.20 --- grub2-signed (1.34.20) trusty; urgency=medium * Run grub-check-signatures before running grub-install, to block upgrade if no signed kernels are installed. (LP: #1789918) grub2-signed (1.34.19) trusty; urgency=medium * Rebuild against grub-efi-amd64 2.02~beta2-9ubuntu1.17 (LP: #1401532) (LP: #1789918) -- Mathieu Trudel-Lapierre Mon, 01 Apr 2019 12:03:07 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2 - 2.02~beta2-9ubuntu1.17 --- grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium * debian/grub-check-signatures: check kernel signatures against keys known in firmware, in case a kernel is signed but not using a key that will pass validation, such as when using kernels coming from a PPA. (LP: #1789918) * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled and kernel signature verification fails, do not boot the kernel. Patch from Linn Crosetto. (LP: #1401532) -- Mathieu Trudel-Lapierre Fri, 22 Mar 2019 11:36:54 -0400 ** Changed in: grub2 (Ubuntu Trusty) Status: Fix Committed => Fix Released ** Changed in: grub2-signed (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Verification-done on trusty: ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64-signed grub-efi-amd64-signed: Installed: 1.34.20+2.02~beta2-9ubuntu1.17 Candidate: 1.34.20+2.02~beta2-9ubuntu1.17 Package pin: 1.34.20+2.02~beta2-9ubuntu1.17 Version table: *** 1.34.20+2.02~beta2-9ubuntu1.17 500 -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1.34.18+2.02~beta2-9ubuntu1.16 500 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 1.34.7+2.02~beta2-9ubuntu1.6 500 500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 1.34+2.02~beta2-9 500 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages ubuntu@dashing-moccasin:~$ apt-cache policy grub-efi-amd64 grub-efi-amd64: Installed: 2.02~beta2-9ubuntu1.17 Candidate: 2.02~beta2-9ubuntu1.17 Package pin: 2.02~beta2-9ubuntu1.17 Version table: *** 2.02~beta2-9ubuntu1.17 500 -1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 2.02~beta2-9ubuntu1.16 500 500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages 2.02~beta2-9ubuntu1.6 500 500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages 2.02~beta2-9 500 500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages Verified that now the kernel signature is correctly enforced by grub, and if no kernel is signed / signed by a trusted key, the upgrade will correctly be failed to avoid leaving the system unbootable. ** Tags removed: verification-needed verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hello Wouter, or anyone else affected, Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.20 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-failed-trusty ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Verification-failed on trusty: ii grub-common 2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader (common files) ii grub-efi-amd64 2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) ii grub-efi-amd64-signed 1.34.19+2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed) ii grub-legacy-ec2 0.7.5-0ubuntu1.23 all Handles update-grub for ec2 instances ii grub-pc-bin 2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader, version 2 (PC/BIOS binaries) ii grub2-common2.02~beta2-9ubuntu1.17 amd64GRand Unified Bootloader (common files for version 2) Kernel signatures are correctly enforced, but a postinst check is missing in grub2-signed to check signatures before applying the next update (missing in grub2-signed 1.34.19) ** Tags removed: verification-needed-trusty ** Tags added: verification-done-trusty ** Tags removed: verification-done-trusty ** Tags added: verification-failed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hello Wouter, or anyone else affected, Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.19 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2-signed (Ubuntu Trusty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hello Wouter, or anyone else affected, Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.17 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2 (Ubuntu Trusty) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
** Changed in: grub2 (Ubuntu Trusty) Status: Triaged => In Progress ** Changed in: grub2-signed (Ubuntu Trusty) Status: Triaged => In Progress ** Changed in: grub2 (Ubuntu Trusty) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2-signed (Ubuntu Trusty) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2-signed (Ubuntu Xenial) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2 (Ubuntu Xenial) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2 (Ubuntu Xenial) Status: Triaged => In Progress ** Changed in: grub2-signed (Ubuntu Xenial) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2 - 2.02-2ubuntu8.12 --- grub2 (2.02-2ubuntu8.12) bionic; urgency=medium * debian/grub-check-signatures: make sure grub-check-signatures conserves its execute bit. grub2 (2.02-2ubuntu8.11) bionic; urgency=medium [ Mathieu Trudel-Lapierre ] * debian/grub-check-signatures: properly account for DB showing as empty on some broken firmwares: Guard against mokutil --export --db failing, and do a better job at finding the DER certs for conversion to PEM format. (LP: #1814575) * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled and kernel signature verification fails, do not boot the kernel. Patch from Linn Crosetto. (LP: #1401532) [ Steve Langasek ] * debian/patches/quick-boot-lvm.patch: checking the return value of 'lsefi' when the command doesn't exist does not do what's expected, so instead check the value of $grub_platform which is simpler anyway. LP: #1814403. -- Mathieu Trudel-Lapierre Thu, 07 Feb 2019 18:20:04 -0500 ** Changed in: grub2 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2-signed - 1.93.13 --- grub2-signed (1.93.13) bionic; urgency=medium * Rebuild against grub2 2.02-2ubuntu8.12. grub2-signed (1.93.12) bionic; urgency=medium * Rebuild against grub2 2.02-2ubuntu8.11. (LP: #1401532) (LP: #1814403) (LP: #1814575) -- Mathieu Trudel-Lapierre Thu, 07 Feb 2019 19:28:09 -0500 ** Changed in: grub2-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Verification-done for bionic using grub2/2.02-2ubuntu8.12, grub2-signed/1.93.13: I have checked loading both signed and unsigned kernels. As expected, an official, correctly signed kernel from the bionic archive is loaded correctly, and a copy of the same kernel with the key removed ('sbattach --remove ') fails to load with "invalid signature" message. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hello Wouter, or anyone else affected, Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.93.12 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2-signed (Ubuntu Bionic) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Hello Wouter, or anyone else affected, Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.11 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
I believe that bug #1565950 is related (but not a duplicate). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This probably should not have been closed as Fix Released quite yet. A gsbx64.efi binary was being built, which allowed enforcement. Now, the proper fix to never allow unsigned / invalidly signed kernels has landed in Cosmic; so proceeding with the SRUs. ** No longer affects: grub2 (Ubuntu Zesty) ** No longer affects: grub2 (Ubuntu Yakkety) ** No longer affects: grub2-signed (Ubuntu Yakkety) ** No longer affects: grub2-signed (Ubuntu Zesty) ** Also affects: grub2 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: grub2 (Ubuntu Bionic) Status: New => In Progress ** Changed in: grub2-signed (Ubuntu Bionic) Status: New => In Progress ** Changed in: grub2-signed (Ubuntu Bionic) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2 (Ubuntu Bionic) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Changed in: grub2 (Ubuntu Xenial) Status: Confirmed => Triaged ** Changed in: grub2 (Ubuntu Trusty) Status: Confirmed => Triaged ** Changed in: grub2-signed (Ubuntu Trusty) Status: Confirmed => Triaged ** Changed in: grub2-signed (Ubuntu) Status: Triaged => Fix Released ** Changed in: grub2-signed (Ubuntu Xenial) Status: Confirmed => Triaged ** Changed in: grub2-signed (Ubuntu Bionic) Importance: Undecided => High ** Changed in: grub2-signed (Ubuntu Xenial) Importance: Undecided => High ** Changed in: grub2-signed (Ubuntu Trusty) Importance: Undecided => High ** Changed in: grub2 (Ubuntu Bionic) Importance: Undecided => High ** Changed in: grub2 (Ubuntu Xenial) Importance: Undecided => High ** Changed in: grub2 (Ubuntu Trusty) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
HI, Is this issue fixed? Which ubuntu version includes this package? Currently I am using ubuntu 18 but still I am facing the same issue. It loads unisgned kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2 - 2.02-2ubuntu1 --- grub2 (2.02-2ubuntu1) bionic; urgency=medium * Merge with Debian; remaining changes: - debian/patches/support_initrd-less_boot.patch: Added knobs to allow non-initrd boot config. (LP: #1640878) - Disable os-prober for ppc64el on the PowerNV platform, to reduce the number of entries/clutter from other OSes in Petitboot (LP: #1447500) - debian/build-efi-images: provide a new grub EFI image which enforces that loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is the same as grub$arch.efi minus the 'linux' module. Without fallback to 'linux' for unsigned loading, this makes it effectively enforce having a signed kernel. (LP: #1401532) - debian/patches/install_signed.patch, grub-install-extra-removable.patch: - Make sure if we install shim; it should also be exported as the default bootloader to install later to a removable path, if we do. - Rework grub-install-extra-removable.patch to reverse its logic: in the default case, install the bootloader to /EFI/BOOT, unless we're trying to install on a removable device, or explicitly telling grub *not* to do it. - Move installing fb$arch.efi to --no-extra-removable; as we don't want fallback to be installed unless we're also installing to /EFI/BOOT. (LP: #1684341) - Make sure postinst and templates know about the replacement of --force-extra-removable with --no-extra-removable. * Sync Secure Boot support patches with the upstream patch set from rhboot/grub2:master-sb. Renamed some patches and updated descriptions for the whole thing to make more sense, too: - dropped debian/patches/linuxefi_require_shim.patch - renamed: debian/patches/no_insmod_on_sb.patch -> debian/patches/linuxefi_no_insmod_on_sb.patch - debian/patches/linuxefi.patch - debian/patches/linuxefi_debug.patch - debian/patches/linuxefi_non_sb_fallback.patch - debian/patches/linuxefi_add_sb_to_efi_chainload.patch - debian/patches/linuxefi_cleanup_errors_in_loader.patch - debian/patches/linuxefi_fix_efi_validation_race.patch - debian/patches/linuxefi_handle_multiarch_boot.patch - debian/patches/linuxefi_honor_sb_mode.patch - debian/patches/linuxefi_move_fdt_helper.patch - debian/patches/linuxefi_load_arm_with_sb.patch - debian/patches/linuxefi_minor_cleanups.patch - debian/patches/linuxefi_re-enable_linux_cmd.patch - debian/patches/linuxefi_rework_linux16_cmd.patch - debian/patches/linuxefi_rework_linux_cmd.patch - debian/patches/linuxefi_rework_non-sb_efi_chainload.patch - debian/patches/linuxefi_rework_pe_loading.patch - debian/patches/linuxefi_use_dev_chainloader_target.patch * debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and the casting they do on some architectures: we don't want to fail build because of some of the warnings that can show up since we otherwise build with -Werror. grub2 (2.02-3) UNRELEASED; urgency=medium * Use current location for upstream signing key (debian/upstream/signing-key.asc). * Update upstream signing key to a non-expired version. [ Debconf translations ] * [sq] Albanian (Silva Arapi; closes: #874497). grub2 (2.02-2) unstable; urgency=medium * Comment out debian/watch lines for betas and pre-releases for now. * Cherry-pick upstream patch to allow mounting ext2/3/4 file systems that have the 'encrypt' feature enabled (closes: #840204). grub2 (2.02-1) unstable; urgency=medium * New upstream release. - xen: Fix wrong register in relocator (closes: #799480). * Resolve symlinks for supported init paths as well as for /sbin/init (thanks, Felipe Sateler; closes: #842315). [ Debconf translations ] * [sr] Serbian (Karolina Kalic; closes: #691288). * [sr@latin] Serbian Latin (Karolina Kalic; closes: #691289). * [pt] Portuguese (Rui Branco - DebianPT; closes: #864171). grub2 (2.02~beta3-5) unstable; urgency=medium [ Steve McIntyre ] * Make grub-install check for errors from efibootmgr (closes: #853234). There are probably still underlying issues in other similar reported bugs, but they're more effectively tracked elsewhere (e.g. efibootmgr) at this point (closes: #756253, #852513). [ Debconf translations ] * [ug] Uyghur (Abduqadir Abliz). * [es] Spanish (Manuel "Venturi" Porras Peralta; closes: #852977). -- Mathieu Trudel-Lapierre Mon, 06 Nov 2017 15:37:12 -0500 ** Changed in: grub2 (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2 (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2-signed (Ubuntu Yakkety) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2-signed (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2 (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2-signed (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: grub2 (Ubuntu Xenial) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
It's not shipped in any package right now, that wasn't the point for the time being (and this is why I'm setting things back to Triaged). The gsbx64.efi.signed file here: http://archive.ubuntu.com/ubuntu/dists/zesty/main/uefi/grub2-amd64/current/ ... is the file you want; but for now there is no process that consumes that file to install it, even if it was provided in grub2-signed. This is *not* a final product and *does* need additional changes to be used as such: any grub configuration will need to replace any 'linux' and 'initrd' calls with 'linuxefi' and 'initrdefi'. This is just a temporary workaround to provide a way to enforce Secure Boot in the cases where this is needed. ** Changed in: grub2 (Ubuntu Zesty) Status: Fix Released => Triaged ** Changed in: grub2-signed (Ubuntu Zesty) Status: Fix Released => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
I'm not seeing gsbx64.efi in grub2-signed. Should I? If not, in what package is it distributed? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu2 --- grub2 (2.02~beta3-4ubuntu2) zesty; urgency=medium * debian/build-efi-images: provide a new grub EFI image which enforces that loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is the same as grub$arch.efi minus the 'linux' module. Without fallback to 'linux' for unsigned loading, this makes it effectively enforce having a signed kernel. (LP: #1401532) -- Mathieu Trudel-Lapierre Thu, 30 Mar 2017 17:45:23 -0400 ** Changed in: grub2 (Ubuntu Zesty) Status: Triaged => Fix Released ** Changed in: grub2-signed (Ubuntu Zesty) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
This bug was fixed in the package grub2-signed - 1.80 --- grub2-signed (1.80) zesty; urgency=medium * Rebuild against grub2 2.02~beta3-4ubuntu2. (LP: #1401532) -- Mathieu Trudel-Lapierre Tue, 04 Apr 2017 10:28:34 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
I'm updating the description for this bug and opening a grub2-signed task (and the relevant release tasks). We're at the point where the grub2 fallback code needs to be addressed. ** Description changed: + [Rationale] + GRUB should help us enforce that in UEFI mode, only signed kernels are loaded. It should not silently fall back to loading unsigned kernels. + + [Impact] + All our users booting in UEFI; on all supported releases. + + [Test cases] + + = grub2 = + + Booting unsigned kernels: + 1) Try to boot a custom kernel + 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) + + Booting signed kernels: + 1) Try to boot an official signed kernel (from -release or -updates) + 2) Verify that the system boots normally and no warnings are shown about signature. + + + [Regression Potential] + Any failure to boot presenting as a failure to load the kernel from within grub, with an "invalid signature" type error message or not, should be investigated as a potential regression of this stable update. + + --- + Me and some other students have conducted some various experiments on Secure Boot enabled machines. The main focus of the tests was to circumvent Secure Boot and load unsigned kernels or kernels that have been signed with other keys. On your SecureBoot (https://wiki.ubuntu.com/SecurityTeam/SecureBoot) it is outlined that GRUB will boot unsigned kernels when the kernel is unsigned. During one of our experiments it seemed that this statement was true and that GRUB loads unsigned kernels as described on your page. We understand that for various reasons GRUB should still support the use-case when an unsigned kernel must be loaded, but with the current approach the user isn't aware if there is a whole chain of trust. For example, it could still be possible to load some malware before it boots the Operating System itself (bootkits). One of the many reasons that Secure Boot has been developed is to protect the user from these kind of attacks. With the current approach the purpose of Secure Boot is somewhat defeated, and the user doesn't know if the whole chain has been verified or not. It could easily be the case that an unsigned kernel has been loaded by Ubuntu without the user noticing. From our point of view, a better approach would be to inform the user that an unsigned kernel will be loaded and that the user can make a choice if he/she wants to proceed. The default action could be to accept the option, remember the user's option and sometimes remind the user of the fact that it is loading an unsigned kernel. This problem is of course related to GRUB itself and not to Ubuntu itself. The reason for filing this bug and informing the SecurityTeam of Ubuntu is to ask for their opinions and what your point of view is on the current approach and to see if other users classify this as a "bug". GRUB2 versions: grub-2.02~beta2, 1.34.1+2.02~beta2-9ubuntu1 Ubuntu version: Trusty (will also affect newer and older versions, GRUB specific problem) ** Also affects: grub2-signed (Ubuntu) Importance: Undecided Status: New ** Changed in: grub2-signed (Ubuntu) Status: New => Triaged ** Changed in: grub2-signed (Ubuntu) Importance: Undecided => High ** Changed in: grub2-signed (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Also affects: grub2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Zesty) Importance: High Assignee: Mathieu Trudel-Lapierre (cyphermox) Status: Triaged ** Also affects: grub2-signed (Ubuntu Zesty) Importance: High Assignee: Mathieu Trudel-Lapierre (cyphermox) Status: Triaged ** Also affects: grub2 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
@Thorsten, Secure Boot enforcement being disabled is indeed one. Being in Setup Mode is another. Updates may have been missing on the system too (since things only happen provided that you have installed the relevant update that ships the change). Also, as per this bug, one could also be explicitly asking grub to load via linuxefi an unsigned kernel binary. The point is that until you are sure what this particular issue is, it is better to open a new bug. This is done to avoid muddying the waters with unrelated issues, and help us avoid "forgetting" to fix something because it was one slightly different issue on an unrelated bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
> there can be various reasons for unsigned binaries to be loaded > despite Secure Boot being marked as enabled in the firmware. @cyphermox: I'd be curious to know what these "various reasons" are. Obviously one is: Secure Boot enforcement was disabled via MokManager in Shim. But what other reasons are there? If you have a minute could you please mentione them? tia! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
QkiZ, this is not the bug for that. Please file your own bug, and include the details as to how you did the installation, and including what /proc/sys/kernel/secure_boot and /proc/sys/kernel/moksbstate_disabled report. There can be various reasons for unsigned binaries to be loaded despite Secure Boot being marked as enabled in the firmware. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
After reboot and load signed kernel I can load unsigned modules. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Ubuntu 16.10. Secure boot is working but I'm able to load unsigned kernel. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Resetting to Triaged; we're fixing this, but I can't realistically say that I'm actively working on it at the moment. It involves moving to a new signing key before we can stop grub from falling back to 'linux' when 'linuxefi' validation fails. This has nothing to do with nvidia-prime or loading whatever drivers -- drivers still load normally, this changes nothing at all but the fact that on a failure to validate the kernel image, grub will still load the badly-signed kernel rather than reporting an error and kicking the user back to the GRUB menu. ** Changed in: grub2 (Ubuntu) Status: In Progress => Triaged ** Changed in: grub2 (Ubuntu) Importance: Wishlist => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
** Tags added: xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Same problem. Nvidia-prime doesn't works -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Will you manage to fix it before xenial release? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
** Description changed: Me and some other students have conducted some various experiments on Secure Boot enabled machines. The main focus of the tests was to circumvent Secure Boot and load unsigned kernels or kernels that have been signed with other keys. On your SecureBoot (https://wiki.ubuntu.com/SecurityTeam/SecureBoot) it is outlined that GRUB will boot unsigned kernels when the kernel is unsigned. During one of our experiments it seemed that this statement was true and that GRUB loads unsigned kernels as described on your page. We understand that for various reasons GRUB should still support the use-case when an unsigned kernel must be loaded, but with the current approach the user isn't aware if there is a whole chain of trust. For example, it could still be possible to load some malware before it boots the Operating System itself (bootkits). One of the many reasons that Secure Boot has been developed is to protect the user from these kind of attacks. With the current approach the purpose of Secure Boot is somewhat defeated, and the user doesn't know if the whole chain has been verified or not. It could easily be the case that an unsigned kernel has been loaded by Ubuntu without the user noticing. From our point of view, a better approach would be to inform the user that an unsigned kernel will be loaded and that the user can make a choice if he/she wants to proceed. The default action could be to accept the option, remember the - user's option and sometimes remember the user of the fact that it is + user's option and sometimes remind the user of the fact that it is loading an unsigned kernel. This problem is of course related to GRUB itself and not to Ubuntu itself. The reason for filing this bug and informing the SecurityTeam of Ubuntu is to ask for their opinions and what your point of view is on the current approach and to see if other users classify this as a "bug". GRUB2 versions: grub-2.02~beta2, 1.34.1+2.02~beta2-9ubuntu1 Ubuntu version: Trusty (will also affect newer and older versions, GRUB specific problem) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Indeed, at this moment GRUB is explicitly trying to verify kernels, but will also silently fallback to ignoring failed verification so that users can still boot their systems. Note that this is the case for a few reasons, among which that ensuring a full trust chain is hard when one also has to load modules that are locally built (we can't ship our signing key on all systems, it would defeat the purpose). Fixing this is the target of spec foundations-x-installing-unsigned- secureboot. Some basic considerations: - fixing grub to not silently ignore validation results - provide some way for users to disable validation in shim (MokSB) when they need to use custom drivers or kernels - ship mokutil by default so a tool is there to toggle validation And as later steps: - replace disabling validation (MokSB) with allowing users to enroll their own keys from the installer, where we can helpfully walk them through the key generation and enrollment. We're probably only looking at toggling validation for 16.04. The net effect of properly relying on shim's validation of the signatures from grub will be to automatically show a "Booting in insecure mode" message when validation is disabled, but SecureBoot is enabled. If SecureBoot is disabled, validation would succeed anyway in both the signed kernels and unsigned kernels. For more information, I'd refer you to the blueprint or to the source code for shim (https://github.com/rhinstaller/shim), or contact me (cyphermox) on IRC in #ubuntu-installer. ** Changed in: grub2-signed (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Re-assigning to grub; this "simply" needs modifying one of the linuxefi patches to not fallback to linux when linuxefi fails; but depends on having the installer, mokutil and some minimal infrastructure (new shim keys) in place to handle making this easy for users to "disable" first if they use DKMS modules. ** Package changed: grub2-signed (Ubuntu) => grub2 (Ubuntu) ** Changed in: grub2 (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (mathieu-tl) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
The presentation is about a bug in the UEFI implementation itself, which is not related to Secure Boot directly. It can affect Secure Boot and maybe turn it off, but that is not the direction I was looking for in this "bug" report. Of course, we are looking into several other aspects to circumvent Secure Boot, and this presentation is indeed relevant. However, GRUB not verifying the kernel is something what should be done later on or display the user with a warning (as discussed previously). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
The purpose of SecureBoot is to prevent untrusted modification of firmware, thus as per SecureBoot specs no unsigned code should be called before ExitBootServices() has been called. Thus one should be targetting as to how to bypass that when booted in secure boot mode. For example the King's & Queen's Gambits vulnerabilities as presented in http://www.mitre.org/sites/default/files/publications/14-2221-extreme- escalation-presentation.pdf -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning
Thanks for reporting this. We aren't currently using SecureBoot for security reasons. Our SecureBoot support is only to allow installation on computers that have it enabled by default. If we ever in the future rely on SecureBoot as a security measure, I agree a warning would be appropriate. ** Information type changed from Private Security to Public Security ** Changed in: grub2-signed (Ubuntu) Status: New => Triaged ** Changed in: grub2-signed (Ubuntu) Importance: Undecided => Wishlist -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs