I'm updating the description for this bug and opening a grub2-signed task (and the relevant release tasks). We're at the point where the grub2 fallback code needs to be addressed.
** Description changed: + [Rationale] + GRUB should help us enforce that in UEFI mode, only signed kernels are loaded. It should not silently fall back to loading unsigned kernels. + + [Impact] + All our users booting in UEFI; on all supported releases. + + [Test cases] + + = grub2 = + + Booting unsigned kernels: + 1) Try to boot a custom kernel + 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) + + Booting signed kernels: + 1) Try to boot an official signed kernel (from -release or -updates) + 2) Verify that the system boots normally and no warnings are shown about signature. + + + [Regression Potential] + Any failure to boot presenting as a failure to load the kernel from within grub, with an "invalid signature" type error message or not, should be investigated as a potential regression of this stable update. + + --- + Me and some other students have conducted some various experiments on Secure Boot enabled machines. The main focus of the tests was to circumvent Secure Boot and load unsigned kernels or kernels that have been signed with other keys. On your SecureBoot (https://wiki.ubuntu.com/SecurityTeam/SecureBoot) it is outlined that GRUB will boot unsigned kernels when the kernel is unsigned. During one of our experiments it seemed that this statement was true and that GRUB loads unsigned kernels as described on your page. We understand that for various reasons GRUB should still support the use-case when an unsigned kernel must be loaded, but with the current approach the user isn't aware if there is a whole chain of trust. For example, it could still be possible to load some malware before it boots the Operating System itself (bootkits). One of the many reasons that Secure Boot has been developed is to protect the user from these kind of attacks. With the current approach the purpose of Secure Boot is somewhat defeated, and the user doesn't know if the whole chain has been verified or not. It could easily be the case that an unsigned kernel has been loaded by Ubuntu without the user noticing. From our point of view, a better approach would be to inform the user that an unsigned kernel will be loaded and that the user can make a choice if he/she wants to proceed. The default action could be to accept the option, remember the user's option and sometimes remind the user of the fact that it is loading an unsigned kernel. This problem is of course related to GRUB itself and not to Ubuntu itself. The reason for filing this bug and informing the SecurityTeam of Ubuntu is to ask for their opinions and what your point of view is on the current approach and to see if other users classify this as a "bug". GRUB2 versions: grub-2.02~beta2, 1.34.1+2.02~beta2-9ubuntu1 Ubuntu version: Trusty (will also affect newer and older versions, GRUB specific problem) ** Also affects: grub2-signed (Ubuntu) Importance: Undecided Status: New ** Changed in: grub2-signed (Ubuntu) Status: New => Triaged ** Changed in: grub2-signed (Ubuntu) Importance: Undecided => High ** Changed in: grub2-signed (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) ** Also affects: grub2 (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Zesty) Importance: High Assignee: Mathieu Trudel-Lapierre (cyphermox) Status: Triaged ** Also affects: grub2-signed (Ubuntu Zesty) Importance: High Assignee: Mathieu Trudel-Lapierre (cyphermox) Status: Triaged ** Also affects: grub2 (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: grub2-signed (Ubuntu Yakkety) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1401532 Title: GRUB's Secure Boot implementation loads unsigned kernel without warning To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
