[Bug 1851897] Update Released
Ćukasz Zemczak
1851897 at bugs.launchpad.net
Thu Dec 5 12:44:26 UTC 2019
The verification of the Stable Release Update for grub2 has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report. In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1851897
Title:
devicetree command should be disabled in Secure Boot mode
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Bionic:
Fix Released
Status in grub2-signed source package in Bionic:
Fix Committed
Status in grub2 source package in Disco:
Fix Released
Status in grub2-signed source package in Disco:
Fix Released
Status in grub2 source package in Eoan:
Fix Released
Status in grub2-signed source package in Eoan:
Fix Released
Status in grub2 source package in Focal:
Fix Released
Status in grub2-signed source package in Focal:
Fix Released
Status in grub2 package in Debian:
Fix Released
Bug description:
[Impact]
A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.
[Test Case]
grub> devicetree foo
error: Secure Boot forbids loading devicetree from foo.
[Regression Risk]
The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it.
The code involved is restricted to devicetree code, so impact would be
restricted to ARM systems.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions
More information about the foundations-bugs
mailing list