Bug#906124: grub-efi-amd64: Also in grub-efi-amd64
On Sat, 3 Oct 2020 21:09:23 +0300 Vladislav Yarmak wrote: > On Sat, 26 Sep 2020 22:33:42 + Victorien Berlot > wrote: > > Hello, > > > > Has this bug been fixed ? > > Nope, but this bug was ported to Centos 8 and probably other distros. > TBH, looks like widespread bootchain sabotage to me. > > BTW, NSA released technical report about secureboot recently: > https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF > > Interesting fact, they skip initramdrive verification as well, and > modern distros make it's verification next to impossible. > > -- > Best Regards, > Vladislav Yarmak > > There's something I don't understand. The root of this bug is identified, right ? It's disappointing it doesn't work anymore because it was a really good feature. Do you know an alternative or a workaround ?
Bug#906124: grub-efi-amd64: Also in grub-efi-amd64
On Sat, 26 Sep 2020 22:33:42 + Victorien Berlot wrote: > Hello, > > Has this bug been fixed ? Nope, but this bug was ported to Centos 8 and probably other distros. TBH, looks like widespread bootchain sabotage to me. BTW, NSA released technical report about secureboot recently: https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF Interesting fact, they skip initramdrive verification as well, and modern distros make it's verification next to impossible. -- Best Regards, Vladislav Yarmak
Bug#906124: grub-efi-amd64: Also in grub-efi-amd64
Hello, Has this bug been fixed ?
Bug#906124: grub-efi-amd64: Also in grub-efi-amd64
Package: grub-efi-amd64 Version: 2.02+dfsg1-20 Followup-For: Bug #906124 Yesterday, I wanted to enable secure boot with custom keys and pgp signed kernel, initrds and grub. However, unfortunately the bug #906124 still exists (at least in the current version of buster). Have it been already solved in unstable or testing? Also, I want to mention that I have grub-efi-amd64 installed (not i386). Hence, the bug is not depending on the architecture, I guess. Best regards, Aaron
