Ubuntu
grub2 package

Grub allows to load unsigned kernel even BIOS enabled secure boot

Bug #1798384 reported by Darren Wu
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

The grub 2.02 in bionic still has the insecure commands which "linux" and "initrd", it allows to load unsigned kernel and initrd.

Even BIOS has forced the secure boot, when grub boot menu shows and stay few seconds and it allows to enter to grub command-line by press 'c'. In the grub command-line, that's easy to load unsigned kernel by 'linux' and 'initrd' commands.

Suggest to remove the 'linux' and 'initrd' from grub commands list.

---
Reproduce steps:
1. Install an unsigned kernel
2. Enable secure boot from BIOS
3. Reboot system an boot normally to make sure unsigned kernel boot fails (grub.cfg loads kerenl by "linuxefi" and "initrdefi")
error: /boot/vmlinuz-4.15.0-1014 has invalied signature
error: you need to load the kernel first.

Press any key to continue...
4. After few seconds, system will back to grub menu. Now press 'c' to enter grub command line mode
5. Enter the following grub commands to load unsigned kernel and initrd and boot into unsigned kernel
grub> linux (hd0,gpt3)/boot/vmlinuz-4.15.0-1014
grub> initrd (hd0,gpt3)/boot/initrd.img-4.15.0-1014
grub> boot

Expect result:
Block the unsigned kernel to boot

Actual result:
Boot unsigned kernel successfully

---
ProblemType: Bug
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] No such file or directory: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.9-0ubuntu7.4
Architecture: amd64
DistroRelease: Ubuntu 18.04
EFITables:
 Oct 18 06:31:42 dell-edge-iot kernel: efi: EFI v2.70 by American Megatrends
 Oct 18 06:31:42 dell-edge-iot kernel: efi: ACPI 2.0=0x8b7e9000 ACPI=0x8b7e9000 SMBIOS=0xf0000 SMBIOS 3.0=0xf0020 ESRT=0x8bc4d118 MEMATTR=0x87951018
 Oct 18 06:31:42 dell-edge-iot kernel: secureboot: Secure boot disabled
 Oct 18 06:31:42 dell-edge-iot kernel: esrt: Reserving ESRT space from 0x000000008bc4d118 to 0x000000008bc4d150.
Package: shim-signed 1.37~18.04.2+15+1533136590.3beb971-0ubuntu1
PackageArchitecture: amd64
ProcVersionSignature: Ubuntu 4.15.0-1014.18-caracalla 4.15.18
Tags: bionic uec-images
Uname: Linux 4.15.0-1014-caracalla x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm cdrom dip lxd plugdev sudo
_MarkForUpload: True

See original description
Revision history for this message
Cristian Aravena Romero (caravena) wrote :

Hello Darren,

Execute the following command in the terminal:

$ apport-collect -p grub2 1798384

Best regards,
--
Cristian Aravena Romero (caravena)

Changed in grub2 (Ubuntu):
status: New → Incomplete
Revision history for this message
Darren Wu (musicguitar) wrote : Dependencies.txt

apport information

tags: added: apport-collected bionic uec-images
description: updated
Revision history for this message
Darren Wu (musicguitar) wrote : EFIBootMgr.txt

apport information

Revision history for this message
Darren Wu (musicguitar) wrote : ProcCpuinfoMinimal.txt

apport information

Revision history for this message
Darren Wu (musicguitar) wrote : ProcEnviron.txt

apport information

description: updated
Revision history for this message
Tony Espy (awe) wrote :

Note it's possible to use grub2 configuration directives to lock down privileged operations (such as access to the shell). The 'superusers' and 'password*' directives can be used to require user auth before certain operations. It even looks like it's possible to completely disable these privileged operations by setting 'superusers' to an empty string. For more information see:

https://www.gnu.org/software/grub/manual/grub/grub.html#Security

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for grub2 (Ubuntu) because there has been no activity for 60 days.]

Changed in grub2 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.