[Bug 1851897] Update Released

Ɓukasz Zemczak 1851897 at bugs.launchpad.net
Thu Dec 5 12:44:26 UTC 2019


The verification of the Stable Release Update for grub2 has completed
successfully and the package is now being released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1851897

Title:
  devicetree command should be disabled in Secure Boot mode

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Released
Status in grub2-signed source package in Bionic:
  Fix Committed
Status in grub2 source package in Disco:
  Fix Released
Status in grub2-signed source package in Disco:
  Fix Released
Status in grub2 source package in Eoan:
  Fix Released
Status in grub2-signed source package in Eoan:
  Fix Released
Status in grub2 source package in Focal:
  Fix Released
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2 package in Debian:
  Fix Released

Bug description:
  [Impact]
  A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.

  [Test Case]
  grub> devicetree foo
  error: Secure Boot forbids loading devicetree from foo.

  [Regression Risk]
  The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it.

  The code involved is restricted to devicetree code, so impact would be
  restricted to ARM systems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions



More information about the foundations-bugs mailing list