[Bug 1851897] Re: devicetree command should be disabled in Secure Boot mode
Bug Watch Updater
1851897 at bugs.launchpad.net
Sat Nov 9 02:52:45 UTC 2019
** Changed in: grub2 (Debian)
Status: Unknown => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1851897
Title:
devicetree command should be disabled in Secure Boot mode
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2 source package in Bionic:
In Progress
Status in grub2 source package in Disco:
In Progress
Status in grub2 source package in Eoan:
Fix Released
Status in grub2 source package in Focal:
Fix Released
Status in grub2 package in Debian:
Fix Released
Bug description:
[Impact]
A devicetree command could be used to load an unsigned device tree file, which will override the hardware configuration exposed to the kernel. This could potentially be used to subvert Secure Boot.
[Test Case]
grub> devicetree foo
error: Secure Boot forbids loading devicetree from foo.
[Regression Risk]
The idea of Secure Boot and externally provided devicetree are inherently incompatible - there's no known system that requires this config, but it is of course possible someone somewhere is doing it.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1851897/+subscriptions
More information about the foundations-bugs
mailing list