[Bug 1475954] Re: grub does not validate kernel signature during secure boot

Craig G cgallek at gmail.com
Thu Jul 23 15:22:42 UTC 2015 

Thanks for the update.  Do you know if it's even possible to use grub to
verify the signatures of the currently distributed signed Ubuntu
kernels?  As far as I can tell, grub only supports gpg detached
signatures.  The Ubuntu kernels seem to be signed using  sbsigntool with
an X509 certificate and private key.

If not, I believe the only way to actually use secure boot with an
Ubuntu kernel is to directly load the kernel from the EFI without using
grub...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1475954

Title:
  grub does not validate kernel signature during secure boot

Status in grub2 package in Ubuntu:
  Confirmed

Bug description:
  I've been playing around with secure boot recently and I think I've
  found an issue with the signed grub efi image that ships with Ubuntu
  (15.04).

  When booting in secure mode, it is not possible to load modules from
  grub, meaning they must all be statically linked into the efi image
  before it is signed (the current list of included modules is in debian
  /build-efi-images).  The grub module responsible for verifying file
  signatures is 'verify' and it is not included as part of the signed
  grub image in the grub-efi-amd64-signed package.

  Further, even if this module was included, there are no public keys
  included in the grub image (these are usually included using the
  --pubkey flag of grub-mkimage).

  Both of these issues mean that despite booting a signed kernel image
  from grub (like vmlinuz-3.19.0-22-generic.efi.signed), the signature
  of the kernel is never actually validated before it is launched.

  I've managed to get a version of the grub.efi loader to boot in secure
  mode with the verify module included and my personal gpg public key
  included.  It now refuses to boot the ubuntu signed kernel because of
  the signature mismatch.  I haven't been able to test the successful
  case, though, because I can't seem to find the gpg public key that is
  used to sign the ubuntu kernels...

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1475954/+subscriptions

More information about the foundations-bugs mailing list