Bug#927888: Need to disable the devicetree command in Secure Boot mode
Steve McIntyre
steve at einval.com
Fri May 3 22:42:34 BST 2019
On Wed, Apr 24, 2019 at 05:37:24PM +0100, Steve McIntyre wrote:
>On Wed, Apr 24, 2019 at 05:26:00PM +0100, Steve McIntyre wrote:
>>Source: grub2
>>Version: 2.02+dfsg1-16
>>Severity: serious
>>Tags: security
>>
>>In discussion with upstream EFI and arm64 folks, it's become clear
>>that in SB mode we should also be disabling the devicetree command in
>>Secure Boot mode. I'm testing a patch right now, coming shortly.
>
>We should also blacklist any of our old grub-efi-arm64-signed binaries
>signed with our production key - this is a real hole that can totally
>undermine SB. I'll work out how to do that for the next shim upload,
>due in the next couple of days.
It's taken me a few days to get this tested, but this grub patch works
in a SB-enabled qemu/kvm test image.
I'm working out how how to do the dbx entries for old binaries now.
--
Steve McIntyre, Cambridge, UK. steve at einval.com
"I can't ever sleep on planes ... call it irrational if you like, but I'm
afraid I'll miss my stop" -- Vivek Das Mohapatra
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sb-disable-devicetree.patch
Type: text/x-diff
Size: 1920 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20190503/872c4f36/attachment-0001.patch>
More information about the Pkg-grub-devel
mailing list