[Bug 1851897] Re: devicetree command should be disabled in Secure Boot mode

Launchpad Bug Tracker 1851897 at bugs.launchpad.net
Thu Dec 5 12:50:09 UTC 2019 

This bug was fixed in the package grub2 - 2.02-2ubuntu8.14

---------------
grub2 (2.02-2ubuntu8.14) bionic; urgency=medium

  * Fix kexec on ACPI/UEFI ARM systems w/ crashkernel reserved memory
    beyond the 4GiB boundary. (LP: #1851190)
  * Apply patch from Peter Jones to forbid the "devicetree" command when
    Secure Boot is enabled. (LP: #1851897)

 -- dann frazier <dannf at ubuntu.com>  Sun, 10 Nov 2019 22:52:35 -0700

** Changed in: grub2 (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1851897

Title:
  devicetree command should be disabled in Secure Boot mode

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Bionic:
  Fix Released
Status in grub2-signed source package in Bionic:
  Fix Released
Status in grub2 source package in Disco:
  Fix Released
Status in grub2-signed source package in Disco:
  Fix Released
Status in grub2 source package in Eoan:
  Fix Released
Status in grub2-signed source package in Eoan:
  Fix Released
Status in grub2 source package in Focal:
  Fix Released
Status in grub2-signed source package in Focal:
  Fix Released
Status in grub2 package in Debian:
  Fix Released

Bug description:
  [Impact]
  A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.

  [Test Case]
  grub> devicetree foo
  error: Secure Boot forbids loading devicetree from foo.

  [Regression Risk]
  The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it.

  The code involved is restricted to devicetree code, so impact would be
  restricted to ARM systems.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions

More information about the foundations-bugs mailing list