exposing the EFI shell in Secure Boot mode can lead to security bypass
Bug #2040139 reported by
Mate Kukri
This bug report is a duplicate of:
Bug #2040137: exposing the EFI shell in Secure Boot mode can lead to security bypass.
Edit
Remove
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxd (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The EFI shell is available as a built-in Boot Option in LXD's OVMF builds, even when Secure Boot is enabled.
This application has known mechanisms for bypassing UEFI Secure Boot, and has already been barred from signing previously.
It should either: not be built into LXD's OVMF, or be disabled when Secure Boot is enabled in any capacity.
CVE References
affects: | lxc (Ubuntu) → lxd (Ubuntu) |
information type: | Private Security → Public Security |
To post a comment you must log in.
If we build out the EFI shell, would this prevent users from setting custom UEFI variables?
This is something I believe the kernel team are doing. @xnox please can you advise?
Thanks