Bug#927888: Need to disable the devicetree command in Secure Boot mode
Steve McIntyre
steve at einval.com
Wed Apr 24 17:37:24 BST 2019
On Wed, Apr 24, 2019 at 05:26:00PM +0100, Steve McIntyre wrote:
>Source: grub2
>Version: 2.02+dfsg1-16
>Severity: serious
>Tags: security
>
>In discussion with upstream EFI and arm64 folks, it's become clear
>that in SB mode we should also be disabling the devicetree command in
>Secure Boot mode. I'm testing a patch right now, coming shortly.
We should also blacklist any of our old grub-efi-arm64-signed binaries
signed with our production key - this is a real hole that can totally
undermine SB. I'll work out how to do that for the next shim upload,
due in the next couple of days.
--
Steve McIntyre, Cambridge, UK. steve at einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
More information about the Pkg-grub-devel
mailing list