[Bug 1890672] [NEW] secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2
Kyle Larose
1890672 at bugs.launchpad.net
Thu Aug 6 20:16:07 UTC 2020
Public bug reported:
I've been using https://github.com/donbowman/ubuntu-secure-boot on my
18.04 system for secure boot for just over two years. It worked quite
well. This morning I did a dist-upgrade. Upon reboot, the system
complained that my kernel wasn't signed (something along the lines of
"$KERNEL has invalid signature.").
I was fairly sure my kernel was signed, and signed properly, so I was
somewhat confused. In the past, when I had messed this up, I was able to
use `set check_signatures=no` to get the system to boot into the OS.
This no longer worked; it is as though that flag is now being ignored. I
had to disable secure boot in the bios to proceed and debug the problem.
I upgraded to 20.04 in the hopes that that would fix my problem. I had
no success there either.
Searching around, I found this patch, which exists in a grub2 version
published recently in both 18.04 and 20.04:
+ [ Dimitri John Ledkov ]
+ * SECURITY UPDATE: Grub does not enforce kernel signature validation
+ when the shim protocol isn't present.
+ - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
+ Fail kernel validation if the shim protocol isn't available
+ - CVE-2020-15705
...
diff -Nru grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch
--- grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch 1970-01-01 00:00:00.000000000 +0000
+++ grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch 2020-07-20 18:19:08.000000000 +0000
@@ -0,0 +1,90 @@
+From 67508ab68e6a5be869e049a0e6474f4b717d3ab9 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox at ubuntu.com>
+Date: Wed, 22 Jul 2020 11:31:43 +0100
+Subject: linuxefi: fail kernel validation without shim protocol.
+
+If certificates that signed grub are installed into db, grub can be
+booted directly. It will then boot any kernel without signature
+validation. The booted kernel will think it was booted in secureboot
+mode and will implement lockdown, yet it could have been tampered.
+
+CVE-2020-15705
+
+Reported-by: Mathieu Trudel-Lapierre <cyphermox at ubuntu.com>
+Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
+---
<Main contents omitted>
See the following for the full diff http://launchpadlibrarian.net/490699204/grub2_2.04-1ubuntu26_2.04-1ubuntu26.1.diff.gz
The same can be seen in 18.04:
http://launchpadlibrarian.net/490699210/grub2_2.02-2ubuntu8.15_2.02-2ubuntu8.16.diff.gz
I downgraded my grub to the version prior to this change (2.04-1ubuntu26) and I can now boot using secure boot.
Given that the patch I pasted above logs the same error I was seeing,
and given that the change in 2.04-1ubuntu26.2 (the most recent) only
touches the post install, I'm fairly confident in saying that the patch
I pasted introduced my problem.
Now, perhaps there is a problem with how the secure boot package I am
using working. I'd love to know what we should be doing differently if
so. However, given the check_signatures=no isn't working any more, and
it is in the official grub documentation
(https://www.gnu.org/software/grub/manual/grub/html_node/check_005fsignatures.html)
I think there's at least one bug here.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: grub2 (not installed)
ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.6
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Thu Aug 6 15:55:17 2020
InstallationDate: Installed on 2018-05-10 (818 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: grub2
UpgradeStatus: Upgraded to focal on 2020-08-06 (0 days ago)
** Affects: grub2 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug focal
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1890672
Title:
secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2
Status in grub2 package in Ubuntu:
New
Bug description:
I've been using https://github.com/donbowman/ubuntu-secure-boot on my
18.04 system for secure boot for just over two years. It worked quite
well. This morning I did a dist-upgrade. Upon reboot, the system
complained that my kernel wasn't signed (something along the lines of
"$KERNEL has invalid signature.").
I was fairly sure my kernel was signed, and signed properly, so I was
somewhat confused. In the past, when I had messed this up, I was able
to use `set check_signatures=no` to get the system to boot into the
OS. This no longer worked; it is as though that flag is now being
ignored. I had to disable secure boot in the bios to proceed and debug
the problem.
I upgraded to 20.04 in the hopes that that would fix my problem. I had
no success there either.
Searching around, I found this patch, which exists in a grub2 version
published recently in both 18.04 and 20.04:
+ [ Dimitri John Ledkov ]
+ * SECURITY UPDATE: Grub does not enforce kernel signature validation
+ when the shim protocol isn't present.
+ - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
+ Fail kernel validation if the shim protocol isn't available
+ - CVE-2020-15705
...
diff -Nru grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch
--- grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch 1970-01-01 00:00:00.000000000 +0000
+++ grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch 2020-07-20 18:19:08.000000000 +0000
@@ -0,0 +1,90 @@
+From 67508ab68e6a5be869e049a0e6474f4b717d3ab9 Mon Sep 17 00:00:00 2001
+From: Dimitri John Ledkov <xnox at ubuntu.com>
+Date: Wed, 22 Jul 2020 11:31:43 +0100
+Subject: linuxefi: fail kernel validation without shim protocol.
+
+If certificates that signed grub are installed into db, grub can be
+booted directly. It will then boot any kernel without signature
+validation. The booted kernel will think it was booted in secureboot
+mode and will implement lockdown, yet it could have been tampered.
+
+CVE-2020-15705
+
+Reported-by: Mathieu Trudel-Lapierre <cyphermox at ubuntu.com>
+Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
+---
<Main contents omitted>
See the following for the full diff http://launchpadlibrarian.net/490699204/grub2_2.04-1ubuntu26_2.04-1ubuntu26.1.diff.gz
The same can be seen in 18.04:
http://launchpadlibrarian.net/490699210/grub2_2.02-2ubuntu8.15_2.02-2ubuntu8.16.diff.gz
I downgraded my grub to the version prior to this change (2.04-1ubuntu26) and I can now boot using secure boot.
Given that the patch I pasted above logs the same error I was seeing,
and given that the change in 2.04-1ubuntu26.2 (the most recent) only
touches the post install, I'm fairly confident in saying that the
patch I pasted introduced my problem.
Now, perhaps there is a problem with how the secure boot package I am
using working. I'd love to know what we should be doing differently if
so. However, given the check_signatures=no isn't working any more, and
it is in the official grub documentation
(https://www.gnu.org/software/grub/manual/grub/html_node/check_005fsignatures.html)
I think there's at least one bug here.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: grub2 (not installed)
ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.6
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Thu Aug 6 15:55:17 2020
InstallationDate: Installed on 2018-05-10 (818 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SourcePackage: grub2
UpgradeStatus: Upgraded to focal on 2020-08-06 (0 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions
More information about the foundations-bugs
mailing list