[Bug 1890672] Re: secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2

Julian Andres Klode 1890672 at bugs.launchpad.net
Fri Aug 7 15:35:18 UTC 2020 

Also, we use EFI signing, not gpg signing for kernels, and hence cannot
make any guarantees about non-EFI-signed binaries.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1890672

Title:
  secure boot fails after upgrade to grub2-common 2.04-1ubuntu26.2

Status in grub2 package in Ubuntu:
  Confirmed

Bug description:
  I've been using https://github.com/donbowman/ubuntu-secure-boot on my
  18.04 system for secure boot for just over two years. It worked quite
  well. This morning I did a dist-upgrade. Upon reboot, the system
  complained that my kernel wasn't signed (something along the lines of
  "$KERNEL has invalid signature.").

  I was fairly sure my kernel was signed, and signed properly, so I was
  somewhat confused. In the past, when I had messed this up, I was able
  to use `set check_signatures=no` to get the system to boot into the
  OS. This no longer worked; it is as though that flag is now being
  ignored. I had to disable secure boot in the bios to proceed and debug
  the problem.

  I upgraded to 20.04 in the hopes that that would fix my problem. I had
  no success there either.

  Searching around, I found this patch, which exists in a grub2 version
  published recently in both 18.04 and 20.04:

  +  [ Dimitri John Ledkov ]
  +  * SECURITY UPDATE: Grub does not enforce kernel signature validation
  +    when the shim protocol isn't present.
  +    - 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
  +      Fail kernel validation if the shim protocol isn't available
  +    - CVE-2020-15705

  ...

  diff -Nru grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch
  --- grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch	1970-01-01 00:00:00.000000000 +0000
  +++ grub2-2.04/debian/patches/0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch	2020-07-20 18:19:08.000000000 +0000
  @@ -0,0 +1,90 @@
  +From 67508ab68e6a5be869e049a0e6474f4b717d3ab9 Mon Sep 17 00:00:00 2001
  +From: Dimitri John Ledkov <xnox at ubuntu.com>
  +Date: Wed, 22 Jul 2020 11:31:43 +0100
  +Subject: linuxefi: fail kernel validation without shim protocol.
  +
  +If certificates that signed grub are installed into db, grub can be
  +booted directly. It will then boot any kernel without signature
  +validation. The booted kernel will think it was booted in secureboot
  +mode and will implement lockdown, yet it could have been tampered.
  +
  +CVE-2020-15705
  +
  +Reported-by: Mathieu Trudel-Lapierre <cyphermox at ubuntu.com>
  +Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
  +---

  <Main contents omitted>

  
  See the following for the full diff http://launchpadlibrarian.net/490699204/grub2_2.04-1ubuntu26_2.04-1ubuntu26.1.diff.gz

  The same can be seen in 18.04:
  http://launchpadlibrarian.net/490699210/grub2_2.02-2ubuntu8.15_2.02-2ubuntu8.16.diff.gz

  
  I downgraded my grub to the version prior to this change (2.04-1ubuntu26) and I can now boot using secure boot.

  Given that the patch I pasted above logs the same error I was seeing,
  and given that the change in 2.04-1ubuntu26.2 (the most recent) only
  touches the post install, I'm fairly confident in saying that the
  patch I pasted introduced my problem.

  Now, perhaps there is a problem with how the secure boot package I am
  using working. I'd love to know what we should be doing differently if
  so. However, given the check_signatures=no isn't working any more, and
  it is in the official grub documentation
  (https://www.gnu.org/software/grub/manual/grub/html_node/check_005fsignatures.html)
  I think there's at least one bug here.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: grub2 (not installed)
  ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
  Uname: Linux 5.4.0-42-generic x86_64
  ApportVersion: 2.20.11-0ubuntu27.6
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Aug  6 15:55:17 2020
  InstallationDate: Installed on 2018-05-10 (818 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  SourcePackage: grub2
  UpgradeStatus: Upgraded to focal on 2020-08-06 (0 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1890672/+subscriptions

More information about the foundations-bugs mailing list