[Bug 1737048] Re: chainloader fails to validate loading images in Secure Boot mode
Seth Arnold
1737048 at bugs.launchpad.net
Fri Dec 8 23:13:16 UTC 2017
Excellent, thanks Mathieu
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1737048
Title:
chainloader fails to validate loading images in Secure Boot mode
Status in grub2 package in Ubuntu:
Invalid
Bug description:
grub2's chainloader code fails to validate images when loading them in
Secure Boot mode.
In Secure Boot, the image is intended to be validated against the
firmware's KEK and DB, and furthermore against the system's shim MOK
database. grub mimicks what shim does in handle_image() to do
relocations / read header, etc., but appears to skip the step of
verifying the image:
The grub code that loads the image header, then checks alignment:
https://git.launchpad.net/~ubuntu-core-dev/grub/+git/ubuntu/tree/grub-core/loader/efi/chainloader.c?h=ubuntu#n517
The same header reading and alignment work in shim:
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim/tree/shim.c#n1279
I think there's a shim_lock->verify() missing in grub there.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1737048/+subscriptions
More information about the foundations-bugs
mailing list