[Bug 1847458] [NEW] EFI chainloader no longer uses shim lock API
Chris Coulson
chris.coulson at canonical.com
Wed Oct 9 09:55:56 UTC 2019
Public bug reported:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and StartImage()
EFI boot services, which requires a bootloader to be verified using a
signature enrolled in the UEFI db. It's no longer possible to chainload
another bootloader that has to be verified by a signature in the MOK db
or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and StartImage()
EFI boot services, which requires a bootloader to be verified using a
- signature enrolled in db. It's no longer possible to chainload another
- bootloader that has to be verified by a signature in the MOK db or
- shim's built-in vendor certificate.
+ signature enrolled in the UEFI db. It's no longer possible to chainload
+ another bootloader that has to be verified by a signature in the MOK db
+ or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1847458
Title:
EFI chainloader no longer uses shim lock API
Status in grub2 package in Ubuntu:
New
Bug description:
GRUB versions pre-eoan contain modifications to the EFI chainloader
command (grub-core/loader/efi/chainloader.c) which allow a chainloaded
bootloader to be verified using the shim lock EFI protocol (which
validates an image against signatures enrolled in the UEFI db, MOK db
and shim's built-in vendor certificate). The verified bootloader is
subsequently executed directly without the use of the LoadImage() and
StartImage() EFI boot services.
This modification was dropped in the GRUB update in eoan (2.04) - the
EFI chainloader command now always uses the LoadImage() and
StartImage() EFI boot services, which requires a bootloader to be
verified using a signature enrolled in the UEFI db. It's no longer
possible to chainload another bootloader that has to be verified by a
signature in the MOK db or shim's built-in vendor certificate.
I'm not sure if this is a deliberate change or an oversight.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1847458/+subscriptions
More information about the foundations-bugs
mailing list