Bug#820129: marked as done (grub2: Disallow booting unsigned kernels when Secure Boot is enabled)

Tue, 31 Jul 2018 01:13:18 -0700 

Your message dated Tue, 31 Jul 2018 09:10:29 +0100
with message-id <[email protected]>
and subject line Re: Bug#820129: grub2: Disallow booting unsigned kernels when 
Secure Boot is enabled
has caused the Debian Bug report #820129,
regarding grub2: Disallow booting unsigned kernels when Secure Boot is enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
820129: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820129
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: grub2
Version: 2.02~beta2-36
Severity: wishlist
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The current code in 2.02~beta2-36 will silently fall back to calling
ExitBootServices() and booting an unsigned kernel if signature verification
fails.

As a part of support for UEFI Secure Boot in Debian (820036) change the boot
to fail if signature verification fails.

I have attached a trivial patch for this change. Thanks!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXBAE0AAoJEF/3aG7d/FTWDh4P/ja6Qa0JRr2bIDj+I+sihFmJ
fIHVItLpMEU5hrKnpkRas7GflntzfpEObqUmzPLTRsrA1WobEyZDfNJUOonvEojR
atccbvjShxNJIZFCr+W8mGh23+Xv+4VFVJ9f2jd+2sOlmViGyM88rDLOZN69vwIe
9+GbTY6Ha3PifVDwLXvNH0cNiInt8uPbPnFOKwAcwSqFncyq5mfpCroLIqgfR5Dv
ImROn7to4iurho3MOidJ0gRJm17mcPjzQAyX/Wh2asSiUMx2cIVrkfcSqoeb6W3L
sXytfIwMf3YzY+eLEpsTZDYhmxrJGMa9uQ+Ryg1ZCQI0uI/n3We7cXnukofcM+Of
sAtETJvr8SYrF5J/v7XafbEKXr64jV7wEEk97kDA+YGdw7nR1Y0UeX3W3AJCuOeo
/KF75oIKJrYbRLymT701RwjArKD2wXYDTzmvnQKiTBc4sPofnr+nJIUOGvZ8Tn8O
D/vI8PZKStsZ4cuABkiHEmA3y6zlVtJEkS+OGktNWrugNBJXGWHs6AHGjIIGenTQ
8FPeNrC01DHf+170iV/0PXGLfJKn037y9JSDaZXuZkAsSrqmQENLKzOv9ee4QSsm
UmalPiqKkyeZRQna7ZDK+LwB8yf02applIzsQcFuF/RahZdgLhwl42doC7LgjpYI
wN0JD88AfHJAuUtwbpxc
=fkO9
-----END PGP SIGNATURE-----

>From 52de74c85ef6a9aca426d9de8f188fe92241aff6 Mon Sep 17 00:00:00 2001
From: Linn Crosetto <[email protected]>
Date: Tue, 5 Apr 2016 11:49:05 -0600
Subject: [PATCH] Disallow unsigned kernels if UEFI Secure Boot is enabled

If UEFI Secure Boot is enabled and kernel signature verification fails, do not
boot the kernel. Before this change, if kernel signature verification failed
then GRUB would fall back to calling ExitBootServices() and continuing the
boot.

Patch-Name: linuxefi_disable_sb_fallback.patch

Signed-off-by: Linn Crosetto <[email protected]>
---
 grub-core/loader/i386/linux.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 2380642..e2e26dd 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -696,10 +696,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   using_linuxefi = 0;
   if (grub_efi_secure_boot ())
     {
-      /* Try linuxefi first, which will require a successful signature check
-	 and then hand over to the kernel without calling ExitBootServices.
-	 If that fails, however, fall back to calling ExitBootServices
-	 ourselves and then booting an unsigned kernel.  */
+      /* linuxefi requires a successful signature check and then hand over
+	 to the kernel without calling ExitBootServices. */
       grub_dl_t mod;
       grub_command_t linuxefi_cmd;
 
@@ -721,7 +719,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 		  return GRUB_ERR_NONE;
 		}
 	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
-	      grub_errno = GRUB_ERR_NONE;
+	      goto fail;
 	    }
 	}
     }
-- 
2.8.0.rc3

--- End Message ---
--- Begin Message --- 
Source: grub2
Source-Version: 2.02+dfsg1-5

Fixed in 2.02+dfsg1-5:

grub2 (2.02+dfsg1-5) unstable; urgency=medium

  [ Colin Watson ]
  * Change Maintainer to [email protected], following
    Alioth lists migration.
  * Backport from upstream:
    - Use grub-file to figure out whether multiboot2 should be used for
      Xen.gz (closes: #898947).
    - x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32.
  * Fix some test failures:
    - Disable sercon in SeaBIOS.
    - Fix qemu options for UHCI test.

  [ Philipp Hahn ]
  * Disallow unsigned kernels if UEFI Secure Boot is enabled
    (patch by Linn Crosetto <[email protected]>)
  * Add patch to fix lockdown mode
    (patch by Luca Boccassi <[email protected]>)
  * Build monolithic EFI binaries for signing (closes: #851994)
  * Add template for signing monolithic EFI binaries
  * debian/build-efi-images: Use correct EFI vendor (closes: #769172)

  [ Luca Boccassi ]
  * template packages: install changelog and copyright
  * Override lintian error about template rules file
  * Add XB-Efi-Vendor metadata to efi-*-bin packages

 -- Colin Watson <[email protected]>  Mon, 30 Jul 2018 13:33:23 +0100

-- 
Colin Watson                                       [[email protected]]

--- End Message ---

Reply via email to