grub does not validate kernel signature during secure boot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I've been playing around with secure boot recently and I think I've found an issue with the signed grub efi image that ships with Ubuntu (15.04).
When booting in secure mode, it is not possible to load modules from grub, meaning they must all be statically linked into the efi image before it is signed (the current list of included modules is in debian/
Further, even if this module was included, there are no public keys included in the grub image (these are usually included using the --pubkey flag of grub-mkimage).
Both of these issues mean that despite booting a signed kernel image from grub (like vmlinuz-
I've managed to get a version of the grub.efi loader to boot in secure mode with the verify module included and my personal gpg public key included. It now refuses to boot the ubuntu signed kernel because of the signature mismatch. I haven't been able to test the successful case, though, because I can't seem to find the gpg public key that is used to sign the ubuntu kernels...
information type: | Private Security → Public Security |
Ubuntu's support for secure boot is solely intended as a compatibility measure so that media can boot on secure boot enabled computers.
There are no current plans to enable secure boot as a security measure.