grub does not validate kernel signature during secure boot

Bug #1475954 reported by Craig G on 2015-07-19
This bug affects 5 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)

Bug Description

I've been playing around with secure boot recently and I think I've found an issue with the signed grub efi image that ships with Ubuntu (15.04).

When booting in secure mode, it is not possible to load modules from grub, meaning they must all be statically linked into the efi image before it is signed (the current list of included modules is in debian/build-efi-images). The grub module responsible for verifying file signatures is 'verify' and it is not included as part of the signed grub image in the grub-efi-amd64-signed package.

Further, even if this module was included, there are no public keys included in the grub image (these are usually included using the --pubkey flag of grub-mkimage).

Both of these issues mean that despite booting a signed kernel image from grub (like vmlinuz-3.19.0-22-generic.efi.signed), the signature of the kernel is never actually validated before it is launched.

I've managed to get a version of the grub.efi loader to boot in secure mode with the verify module included and my personal gpg public key included. It now refuses to boot the ubuntu signed kernel because of the signature mismatch. I haven't been able to test the successful case, though, because I can't seem to find the gpg public key that is used to sign the ubuntu kernels...

Craig G (cgallek) on 2015-07-23
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

Ubuntu's support for secure boot is solely intended as a compatibility measure so that media can boot on secure boot enabled computers.

There are no current plans to enable secure boot as a security measure.

Changed in grub2 (Ubuntu):
status: New → Confirmed
Craig G (cgallek) wrote :

Thanks for the update. Do you know if it's even possible to use grub to verify the signatures of the currently distributed signed Ubuntu kernels? As far as I can tell, grub only supports gpg detached signatures. The Ubuntu kernels seem to be signed using sbsigntool with an X509 certificate and private key.

If not, I believe the only way to actually use secure boot with an Ubuntu kernel is to directly load the kernel from the EFI without using grub...

Tyler Hicks (tyhicks) wrote :

What Marc said in comment #1 was previously true. However, there is now ongoing work to enable secure boot as a security measure for Ubuntu 16.04 LTS. That will include kernel signature verification.

I'm going to mark this bug report as a dupe of a similar bug report (bug #1401532) which is being used to track the work. Thanks!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers