Ubuntu
grub2 package

  1. Bug #1954683
  2. Comment #0

Comment 0 for bug 1954683

Revision history for this message
Julian Andres Klode (juliank) wrote : grub is missing secure boot support for compressed kernels

[Impact]
Compressed kernels as we have on arm64 cause grub to fail in two ways:

1. In all versions, grub-check-signatures will fail to verify the binaries using sbverify, complain about that in debconf, and then abort the installation/upgrade of grub-efi-arm64-signed

2. In 2.06, the verifiers framework runs before any decompression, causing the kernels to fail verification, as it tries to verify the compressed data. In grub 2.04, we manually verified the file after we had opened it (hence after all filters).

[Attack plan]
1. Modify grub-check-signatures to optionally decompress kernels before passing them to sbverify
2. Modify grub to either
   a) verify after decompress
   b) disable shim_lock verifier on arm64, and only use the rhboot

We do not know if this is a long-term solution, we really should migrate back to kernels that are proper EFI executables themselves such that we can use standard EFI functions to run them as well.

[Test plan]
TBD

[Where problems could occur]
TBD