[Bug 1890672] Re: secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2

Dimitri John Ledkov 1890672 at bugs.launchpad.net
Fri Aug 7 15:28:34 UTC 2020 

Shim provides a lot more than just a chain of trust. It is also the
protocol to perform TPM2 measurements, for local and remote attestation.

For ultimate security, whilst using custom chain of trust, one must use
shim and ensure that vendor certificate is excluded from trust either
via dbx or mokx. When desired to skip signature validation, there is
ability to request shim to disable-validation, but that requires reboot
and access to mokmanager, such that tpm measurements are affected. This
prevents installing rootkits or accessing TPM sealed secrets
unauthorized (prefix attacks).

Not using shim, results in insecure systems susceptible to Boot Hole and
TPM measurements prefix attacks.

It seems that you are asking us to lower our security standards for our
bootloader. If stock Ubuntu bootloader is too secure for your insecure
usecases, please build your own grub images. By policy we will no longer
sign grub bootloaders that allow bypass of validation without affecting
TPM measurements.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1890672

Title:
  secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2

Status in grub2 package in Ubuntu:
  Confirmed

Bug description:
  I've been using https://github.com/donbowman/ubuntu-secure-boot on my
  18.04 system for secure boot for just over two years. It worked quite
  well. This morning I did a dist-upgrade. Upon reboot, the system
  complained that my kernel wasn't signed (something along the lines of
  "$KERNEL has invalid signature.").

  I was fairly sure my kernel was signed, and signed properly, so I was
  somewhat confused. In the past, when I had messed this up, I was able
  to use `set check_signatures=no` to get the system to boot into the
  OS. This no longer worked; it is as though that flag is now being
  ignored. I had to disable secure boot in the bios to proceed and debug
  the problem.

  I upgraded to 20.04 in the hopes that that would fix my problem. I had
  no success there either.

  Searching around, I found this patch, which exists in a grub2 version
  published recently in both 18.04 and 20.04:

  +  [ Dimitri John Ledkov ]
  +  * SECURITY UPDATE: Grub does not enforce kernel signature validation
  +    when the shim protocol isn't present.
  +    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
  +      Fail kernel validation if the shim protocol isn't available
  +    - CVE-2020-15705

  ...

  diff -Nru grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch
  --- grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch	1970-01-01 00:00:00.000000000 +0000
  +++ grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch	2020-07-20 18:19:08.000000000 +0000
  @@ -0,0 +1,90 @@
  +From 67508ab68e6a5be869e049a0e6474f4b717d3ab9 Mon Sep 17 00:00:00 2001
  +From: Dimitri John Ledkov <xnox at ubuntu.com>
  +Date: Wed, 22 Jul 2020 11:31:43 +0100
  +Subject: linuxefi: fail kernel validation without shim protocol.
  +
  +If certificates that signed grub are installed into db, grub can be
  +booted directly. It will then boot any kernel without signature
  +validation. The booted kernel will think it was booted in secureboot
  +mode and will implement lockdown, yet it could have been tampered.
  +
  +CVE-2020-15705
  +
  +Reported-by: Mathieu Trudel-Lapierre <cyphermox at ubuntu.com>
  +Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
  +---

  <Main contents omitted>

  
  See the following for the full diff http://launchpadlibrarian.net/490699204/grub2_2.04-1ubuntu26_2.04-1ubuntu26.1.diff.gz

  The same can be seen in 18.04:
  http://launchpadlibrarian.net/490699210/grub2_2.02-2ubuntu8.15_2.02-2ubuntu8.16.diff.gz

  
  I downgraded my grub to the version prior to this change (2.04-1ubuntu26) and I can now boot using secure boot.

  Given that the patch I pasted above logs the same error I was seeing,
  and given that the change in 2.04-1ubuntu26.2 (the most recent) only
  touches the post install, I'm fairly confident in saying that the
  patch I pasted introduced my problem.

  Now, perhaps there is a problem with how the secure boot package I am
  using working. I'd love to know what we should be doing differently if
  so. However, given the check_signatures=no isn't working any more, and
  it is in the official grub documentation
  (https://www.gnu.org/software/grub/manual/grub/html_node/check_005fsignatures.html)
  I think there's at least one bug here.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: grub2 (not installed)
  ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
  Uname: Linux 5.4.0-42-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.6
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Aug  6 15:55:17 2020
  InstallationDate: Installed on 2018-05-10 (818 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  SourcePackage: grub2
  UpgradeStatus: Upgraded to focal on 2020-08-06 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions

More information about the foundations-bugs mailing list