[Bug 1851897] [NEW] devicetree command should be disabled in Secure Boot mode

Fri, 08 Nov 2019 16:15:55 -0800 

Public bug reported:

[Impact]
A devicetree command could be used to load an unsigned device tree file, which 
will override the hardware configuration exposed to the kernel. This could 
potentially be used to subvert Secure Boot.

[Test Case]
grub> devicetree foo
error: Secure Boot forbids loading devicetree from foo.

[Regression Risk]
The idea of Secure Boot and externally provided devicetree are inherently 
incompatible - there's no known system that requires this config, but it is of 
course possible someone somewhere is doing it.

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: grub2 (Ubuntu Bionic)
     Importance: Undecided
         Status: In Progress

** Affects: grub2 (Ubuntu Disco)
     Importance: Undecided
         Status: In Progress

** Affects: grub2 (Ubuntu Eoan)
     Importance: Undecided
         Status: Fix Released

** Affects: grub2 (Ubuntu Focal)
     Importance: Undecided
         Status: Fix Released

** Affects: grub2 (Debian)
     Importance: Unknown
         Status: Unknown

** Also affects: grub2 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Changed in: grub2 (Ubuntu Focal)
       Status: New => Fix Released

** Changed in: grub2 (Ubuntu Eoan)
       Status: New => Fix Released

** Changed in: grub2 (Ubuntu Disco)
       Status: New => In Progress

** Changed in: grub2 (Ubuntu Bionic)
       Status: New => In Progress

** Bug watch added: Debian Bug tracker #927888
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888

** Also affects: grub2 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1851897

Title:
  devicetree command should be disabled in Secure Boot mode

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to