Public bug reported: [Impact] A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.
[Test Case] grub> devicetree foo error: Secure Boot forbids loading devicetree from foo. [Regression Risk] The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it. ** Affects: grub2 (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: grub2 (Ubuntu Bionic) Importance: Undecided Status: In Progress ** Affects: grub2 (Ubuntu Disco) Importance: Undecided Status: In Progress ** Affects: grub2 (Ubuntu Eoan) Importance: Undecided Status: Fix Released ** Affects: grub2 (Ubuntu Focal) Importance: Undecided Status: Fix Released ** Affects: grub2 (Debian) Importance: Unknown Status: Unknown ** Also affects: grub2 (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: grub2 (Ubuntu Focal) Status: New => Fix Released ** Changed in: grub2 (Ubuntu Eoan) Status: New => Fix Released ** Changed in: grub2 (Ubuntu Disco) Status: New => In Progress ** Changed in: grub2 (Ubuntu Bionic) Status: New => In Progress ** Bug watch added: Debian Bug tracker #927888 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888 ** Also affects: grub2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851897 Title: devicetree command should be disabled in Secure Boot mode To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs