> I've been using https://github.com/donbowman/ubuntu-secure-boot on my 18.04 system for secure boot for just over two years.
Hi, If you are still using above, your systems are still susceptible to the Boot Hole attack. You must rotate all of your signing keys, and only sign grub & kernels with Boot Hole mitigation present going forward. Grub alone, is insufficient to guarantee that under secureboot your systems are not susceptible to attacks. *Even with integration that above repository claims to provide* In the spirit of what software from the above repository does, specifically distrust any public signatures and use private key infrastructure please do the following: * Install shim-signed * optionally strip signatures from shim * UEFI secureboot sign shim / mokmanager / fallback using your own private key * Enroll the Canonical Master Certificate Authority into MOKX to distrust it, i.e. using `mokkutil --mokx --import` * update boot entries to boot shim -> grub Note that by default, over the years Ubuntu shim/grub/kernel have signfinicantly improved and provide far stronger out of the bux, security & lockdown guarantees in more recent releases than what the above repository alludes to. I strongly recommend you to stop using that github repo. Using above git repository opens up a much larger bootloader attack surface than otherwise available with stock Ubuntu 20.04 LTS. The last unique feature that above github repository provides is automated initrd signing, which currently is not integrated out of the box on Ubuntu classic systems, but is being worked on and already available on Ubuntu Core for the embedded use case. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1890672 Title: secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
