[Bug 1851897] Re: devicetree command should be disabled in Secure Boot mode

Timo Aaltonen tjaalton at ubuntu.com
Fri Nov 22 11:09:38 UTC 2019 

Hello dann, or anyone else affected,

Accepted grub2 into disco-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02+dfsg1-12ubuntu2.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-disco to verification-done-disco. If it does not fix
the bug for you, please add a comment stating that, and change the tag
to verification-failed-disco. In either case, without details of your
testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags added: verification-needed verification-needed-disco

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1851897

Title:
  devicetree command should be disabled in Secure Boot mode

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2-signed source package in Bionic:
  Fix Committed
Status in grub2 source package in Disco:
  Fix Committed
Status in grub2-signed source package in Disco:
  Fix Committed
Status in grub2 source package in Eoan:
  Fix Released
Status in grub2-signed source package in Eoan:
  Fix Released
Status in grub2 source package in Focal:
  Fix Released
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2 package in Debian:
  Fix Released

Bug description:
  [Impact]
  A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.

  [Test Case]
  grub> devicetree foo
  error: Secure Boot forbids loading devicetree from foo.

  [Regression Risk]
  The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it.

  The code involved is restricted to devicetree code, so impact would be
  restricted to ARM systems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions

More information about the foundations-bugs mailing list