[Bug 1954683] [NEW] grub is missing secure boot support for compressed kernels

Julian Andres Klode 1954683 at bugs.launchpad.net
Mon Dec 13 17:09:51 UTC 2021 

Public bug reported:

[Impact]
Compressed kernels as we have on arm64 cause grub to fail in two ways:

1. In all versions, grub-check-signatures will fail to verify the
binaries using sbverify, complain about that in debconf, and then abort
the installation/upgrade of grub-efi-arm64-signed

2. In 2.06, the verifiers framework runs before any decompression,
causing the kernels to fail verification, as it tries to verify the
compressed data. In grub 2.04, we manually verified the file after we
had opened it (hence after all filters).

[Attack plan]
1. Modify grub-check-signatures to optionally decompress kernels before passing them to sbverify
2. Modify grub to either
   a) verify after decompress
   b) disable shim_lock verifier on arm64, and only use the rhboot

We do not know if this is a long-term solution, we really should migrate
back to kernels that are proper EFI executables themselves such that we
can use standard EFI functions to run them as well.

[Test plan]
TBD

[Where problems could occur]
TBD

** Affects: grub2-unsigned (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: regression-proposed

** Also affects: grub2 (Ubuntu)
   Importance: Undecided
       Status: New

** No longer affects: grub2 (Ubuntu)

** Tags added: regression-proposed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-unsigned in Ubuntu.
https://bugs.launchpad.net/bugs/1954683

Title:
  grub is missing secure boot support for compressed kernels

Status in grub2-unsigned package in Ubuntu:
  New

Bug description:
  [Impact]
  Compressed kernels as we have on arm64 cause grub to fail in two ways:

  1. In all versions, grub-check-signatures will fail to verify the
  binaries using sbverify, complain about that in debconf, and then
  abort the installation/upgrade of grub-efi-arm64-signed

  2. In 2.06, the verifiers framework runs before any decompression,
  causing the kernels to fail verification, as it tries to verify the
  compressed data. In grub 2.04, we manually verified the file after we
  had opened it (hence after all filters).

  [Attack plan]
  1. Modify grub-check-signatures to optionally decompress kernels before passing them to sbverify
  2. Modify grub to either
     a) verify after decompress
     b) disable shim_lock verifier on arm64, and only use the rhboot

  We do not know if this is a long-term solution, we really should
  migrate back to kernels that are proper EFI executables themselves
  such that we can use standard EFI functions to run them as well.

  [Test plan]
  TBD

  [Where problems could occur]
  TBD

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/1954683/+subscriptions

More information about the foundations-bugs mailing list