Grub allows to load unsigned kernel even BIOS enabled secure boot
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The grub 2.02 in bionic still has the insecure commands which "linux" and "initrd", it allows to load unsigned kernel and initrd.
Even BIOS has forced the secure boot, when grub boot menu shows and stay few seconds and it allows to enter to grub command-line by press 'c'. In the grub command-line, that's easy to load unsigned kernel by 'linux' and 'initrd' commands.
Suggest to remove the 'linux' and 'initrd' from grub commands list.
---
Reproduce steps:
1. Install an unsigned kernel
2. Enable secure boot from BIOS
3. Reboot system an boot normally to make sure unsigned kernel boot fails (grub.cfg loads kerenl by "linuxefi" and "initrdefi")
error: /boot/vmlinuz-
error: you need to load the kernel first.
Press any key to continue...
4. After few seconds, system will back to grub menu. Now press 'c' to enter grub command line mode
5. Enter the following grub commands to load unsigned kernel and initrd and boot into unsigned kernel
grub> linux (hd0,gpt3)
grub> initrd (hd0,gpt3)
grub> boot
Expect result:
Block the unsigned kernel to boot
Actual result:
Boot unsigned kernel successfully
---
ProblemType: Bug
.proc.sys.
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
DistroRelease: Ubuntu 18.04
EFITables:
Oct 18 06:31:42 dell-edge-iot kernel: efi: EFI v2.70 by American Megatrends
Oct 18 06:31:42 dell-edge-iot kernel: efi: ACPI 2.0=0x8b7e9000 ACPI=0x8b7e9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x8bc4d118 MEMATTR=0x87951018
Oct 18 06:31:42 dell-edge-iot kernel: secureboot: Secure boot disabled
Oct 18 06:31:42 dell-edge-iot kernel: esrt: Reserving ESRT space from 0x000000008bc4d118 to 0x000000008bc4d150.
Package: shim-signed 1.37~18.
PackageArchitec
ProcVersionSign
Tags: bionic uec-images
Uname: Linux 4.15.0-
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lxd plugdev sudo
_MarkForUpload: True
Hello Darren,
Execute the following command in the terminal:
$ apport-collect -p grub2 1798384
Best regards,
--
Cristian Aravena Romero (caravena)