Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities

grub-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole

From:	John Paul Adrian Glaubitz
Subject:	Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Date:	Wed, 29 Jul 2020 23:33:27 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0

Hi Dimitri!

On 7/29/20 11:20 PM, Dimitri John Ledkov wrote:
> Disclosures were done to a subset of binary distributions that have a
> trust path to shims signed with Microsoft UEFI CA 2011 db key. Arch
> Linux does not provide shim-signed with keys controlled by Arch Linux
> and it doesn't provide pre-signed secureboot kernels.
> 
> Reading Arch Linux documentation it seems that Fedora's shim is used
> together with self-signed Mok Keys.
> 
> Mitigation strategy for Arch Linux will then be quite different to
> everyone else:
> 
> 1) Update to new shim from fedora when available, as previous ones are
> going to be revoked by the dbxupdate from uefi.org
> 2) Patch Archlinux grub
> 3) Patch Archilinux kernel for lockdown bypass
> 4) Generate new MOK key, enroll it into MOK
> 5) Sign patched grub/kernel with the new MOK key
> 6) Provide instructions for users to revoke their old key via MOKX,
> i.e. use mokutil --mokx --import existing cert; or for example delete
> the old key from MOK with --delete old-cert.der
> 
> This is just a rough guideline, please analyze how signing keys are
> controlled and used on typical Arch Linux deployment and adjust things
> to taste.
> 
> The key point is to rotate the signing key used for
> shim/grub/kernel/fwupd, only use the new key to sign fixed things, and
> ensure that old key is no longer trusted (removed from MOK, or added
> to MOKX).

Thanks for describing the detailed procedure, very informative.

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

[Prev in Thread]

Current Thread

[Next in Thread]

[SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation, (continued)
- [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property(), Daniel Kiper, 2020/07/29
- [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation, Daniel Kiper, 2020/07/29
- [SECURITY PATCH 21/28] hfsplus: Fix two more overflows, Daniel Kiper, 2020/07/29
- Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Christian Hesse, 2020/07/29
  - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, John Paul Adrian Glaubitz, 2020/07/29
    - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, Dimitri John Ledkov, 2020/07/29
    - Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole, John Paul Adrian Glaubitz <=

Prev by Date: Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Next by Date: [PATCH 00/17] Fixes and improvements for cryptodisks+luks2 and a few other things.
Previous by thread: Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Next by thread: Re: GRUB 2.06 release
Index(es):
- Date
- Thread