> Article: Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux > Distros > Link: > https://thehackernews.com/2024/02/critical-bootloader-vulnerability-in.html > > May I know if Shim is an important component of GNU Grub? > This is what the Shim does: https://github.com/rhboot/shim#shim-a-first-stage-uefi-bootloader
Disclaimer: I am no expert on Grub or Shim or security. So my superficial reading of the message is: If you happen to netboot (PXEboot) using HTTP to transport your kernel+initrd, AND you have SecureBoot enabled, meaning that you rely on it for security, AND you're therefore using the Shim, to sign on the fly your kernel or whatever binaries you need to chainload off the LAN, ... THEN you are susceptible to the CVE, where the attacker (pulling off a MITM) can meticulously craft a binary payload, knowing the inner workings of the Shim, to execute his own arbitrary code, as part of the Shim. Color me illterate... isn't the assumed background scenario 1) rare 2) offering other, much simpler ways of attack, once you're in the MITM position, such as providing your own kernel and initrd, effectively booting your own OS in the first place? If you have someone capable of a MITM inside your LAN, don't you have a much more serious problem in the first place? I am no expert on this scenario, and I feel judgemental in my possibly unfounded opinion. Corrections are welcome. If I understand this correctly: - Linux distroes booting from local disk, in legacy or UEFI mode, UEFI with or without SecureBoot, are not affected - machines PXE-booting without SecureBoot (in legacy or UEFI mode) are not affected Except that booting without SecureBoot especially over the network maybe offers other, more serious vectors of attack. Overall, somehow I don't see anybody panic. Side note: I am not exactly sure, if this is specific to Grub. Grub indeed seems capable of PXE-booting with UEFI support, and uses the Shim in disk-based UEFI boot first and foremost. Not sure if iPXE is also affected. I don't know if the Shim including the CVE is present in iPXE, or can be combined with iPXE explicitly. Frank
