secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I've been using https:/
I was fairly sure my kernel was signed, and signed properly, so I was somewhat confused. In the past, when I had messed this up, I was able to use `set check_signature
I upgraded to 20.04 in the hopes that that would fix my problem. I had no success there either.
Searching around, I found this patch, which exists in a grub2 version published recently in both 18.04 and 20.04:
+ [ Dimitri John Ledkov ]
+ * SECURITY UPDATE: Grub does not enforce kernel signature validation
+ when the shim protocol isn't present.
+ - 0097-linuxefi-
+ Fail kernel validation if the shim protocol isn't available
+ - CVE-2020-15705
...
diff -Nru grub2-2.
--- grub2-2.
+++ grub2-2.
@@ -0,0 +1,90 @@
+From 67508ab68e6a5be
+From: Dimitri John Ledkov <email address hidden>
+Date: Wed, 22 Jul 2020 11:31:43 +0100
+Subject: linuxefi: fail kernel validation without shim protocol.
+
+If certificates that signed grub are installed into db, grub can be
+booted directly. It will then boot any kernel without signature
+validation. The booted kernel will think it was booted in secureboot
+mode and will implement lockdown, yet it could have been tampered.
+
+CVE-2020-15705
+
+Reported-by: Mathieu Trudel-Lapierre <email address hidden>
+Signed-off-by: Dimitri John Ledkov <email address hidden>
+---
<Main contents omitted>
See the following for the full diff http://
The same can be seen in 18.04: http://
I downgraded my grub to the version prior to this change (2.04-1ubuntu26) and I can now boot using secure boot.
Given that the patch I pasted above logs the same error I was seeing, and given that the change in 2.04-1ubuntu26.2 (the most recent) only touches the post install, I'm fairly confident in saying that the patch I pasted introduced my problem.
Now, perhaps there is a problem with how the secure boot package I am using working. I'd love to know what we should be doing differently if so. However, given the check_signatures=no isn't working any more, and it is in the official grub documentation (https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: grub2 (not installed)
ProcVersionSign
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.6
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Thu Aug 6 15:55:17 2020
InstallationDate: Installed on 2018-05-10 (818 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: grub2
UpgradeStatus: Upgraded to focal on 2020-08-06 (0 days ago)
Changed in grub2 (Ubuntu): | |
status: | Invalid → New |
That set check_signatures=no does not work seems correct, you don't want to be able to circumvent secure boot just by editing
grub.cfg
Given that you vastly modified your boot configuration, I don't think this is actionable. I'd suggest you remove that package and maybe reinstall in case it does not fully get rid of it. Not only does it break your boot, it also makes it less secure by replacing trusted binaries with binaries you can sign just by gaining root access, completely circumventing the idea of secure boot preventing rootkits etc.