Private bug reported:
Secure Boot and Secured Update are foundational platform security features
designed to ensure system integrity from boot through runtime updates.
Secure Boot establishes a hardware root of trust and verifies the authenticity
and integrity of firmware, bootloaders, and the operating system before
execution. It prevents unauthorized or malicious code from being loaded during
the boot process by enforcing cryptographic signature validation.
Secured Update extends this trust model to firmware and software updates,
ensuring that only authenticated, signed, and verified updates are applied to
system components such as BIOS/UEFI, BMC firmware, and device firmware. This
protects against supply chain attacks, rollback attacks, and unauthorized
modifications.
In the Linux kernel, Secure Boot is supported through UEFI Secure Boot
mechanisms, kernel signature verification, and trusted key management. Secured
Update workflows involve coordination between firmware, OS tools, and
management frameworks (e.g., capsule updates, fwupd). However, enhancements are
needed for better integration, visibility, and policy enforcement across
platform components.
Feature Request:
Requested details to be enabled on OS:
Ensure full support for UEFI Secure Boot (key enrollment, signature
verification, revocation lists).
Enable kernel and module signature enforcement under Secure Boot.
Support secure firmware update mechanisms (UEFI capsule updates, signed
payloads).
Integrate secured update workflows with OS tools (e.g., fwupd, LVFS where
applicable).
Provide mechanisms for rollback protection and version control of firmware
updates.
Expose Secure Boot status and configuration via sysfs and user-space tools.
Enable logging and auditing of Secure Boot and update events.
Support secure update of device firmware (PCIe/CXL devices, NICs, storage).
Integrate with platform management frameworks (BMC, Redfish) for remote
updates.
Provide policy controls for update authorization and enforcement.
Ensure compatibility with virtualization environments and confidential
computing setups.
Document Secure Boot configuration, key management, and secured update
workflows.
Business Justification:
Protects system from unauthorized code execution during boot.
Ensures integrity and authenticity of firmware and software updates.
Mitigates supply chain and firmware-level attacks.
Enhances compliance with security standards and regulations.
Improves trustworthiness of platform in enterprise and cloud environments.
Aligns with modern zero-trust and secure infrastructure strategies.
References:
UEFI Secure Boot Specification
Linux Kernel Secure Boot and Module Signing Documentation
fwupd and LVFS Documentation
NIST and Industry Security Guidelines for Firmware Protection
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Private
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2146711
Title:
Request for Security Support – Secure Boot and Secured Update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2146711/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
