← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1401532] Re: GRUB's Secure Boot implementation loads unsigned kernel without warning

 

I'm updating the description for this bug and opening a grub2-signed
task (and the relevant release tasks). We're at the point where the
grub2 fallback code needs to be addressed.

** Description changed:

+ [Rationale]
+ GRUB should help us enforce that in UEFI mode, only signed kernels are loaded. It should not silently fall back to loading unsigned kernels.
+ 
+ [Impact]
+ All our users booting in UEFI; on all supported releases.
+ 
+ [Test cases]
+ 
+ = grub2 =
+ 
+ Booting unsigned kernels:
+ 1) Try to boot a custom kernel
+ 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)
+ 
+ Booting signed kernels:
+ 1) Try to boot an official signed kernel (from -release or -updates)
+ 2) Verify that the system boots normally and no warnings are shown about signature.
+ 
+ 
+ [Regression Potential]
+ Any failure to boot presenting as a failure to load the kernel from within grub, with an "invalid signature" type error message or not, should be investigated as a potential regression of this stable update.
+ 
+ ---
+ 
  Me and some other students have conducted some various experiments on
  Secure Boot enabled machines. The main focus of the tests was to
  circumvent Secure Boot and load unsigned kernels or kernels that have
  been signed with other keys.
  
  On your SecureBoot (https://wiki.ubuntu.com/SecurityTeam/SecureBoot) it
  is outlined that GRUB will boot unsigned kernels when the kernel is
  unsigned. During one of our experiments it seemed that this statement
  was true and that GRUB loads unsigned kernels as described on your page.
  We understand that for various reasons GRUB should still support the
  use-case when an unsigned kernel must be loaded, but with the current
  approach the user isn't aware if there is a whole chain of trust. For
  example, it could still be possible to load some malware before it boots
  the Operating System itself (bootkits). One of the many reasons that
  Secure Boot has been developed is to protect the user from these kind of
  attacks.
  
  With the current approach the purpose of Secure Boot is somewhat
  defeated, and the user doesn't know if the whole chain has been verified
  or not. It could easily be the case that an unsigned kernel has been
  loaded by Ubuntu without the user noticing. From our point of view, a
  better approach would be to inform the user that an unsigned kernel will
  be loaded and that the user can make a choice if he/she wants to
  proceed. The default action could be to accept the option, remember the
  user's option and sometimes remind the user of the fact that it is
  loading an unsigned kernel.
  
  This problem is of course related to GRUB itself and not to Ubuntu
  itself. The reason for filing this bug and informing the SecurityTeam of
  Ubuntu is to ask for their opinions and what your point of view is on
  the current approach and to see if other users classify this as a "bug".
  
  GRUB2 versions: grub-2.02~beta2, 1.34.1+2.02~beta2-9ubuntu1
  Ubuntu version: Trusty (will also affect newer and older versions, GRUB specific problem)

** Also affects: grub2-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: grub2-signed (Ubuntu)
       Status: New => Triaged

** Changed in: grub2-signed (Ubuntu)
   Importance: Undecided => High

** Changed in: grub2-signed (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Also affects: grub2 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Zesty)
   Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
       Status: Triaged

** Also affects: grub2-signed (Ubuntu Zesty)
   Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
       Status: Triaged

** Also affects: grub2 (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1401532

Title:
  GRUB's Secure Boot implementation loads unsigned kernel without
  warning

Status in grub2 package in Ubuntu:
  Triaged
Status in grub2-signed package in Ubuntu:
  Triaged
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in grub2 source package in Yakkety:
  New
Status in grub2-signed source package in Yakkety:
  New
Status in grub2 source package in Zesty:
  Triaged
Status in grub2-signed source package in Zesty:
  Triaged

Bug description:
  [Rationale]
  GRUB should help us enforce that in UEFI mode, only signed kernels are loaded. It should not silently fall back to loading unsigned kernels.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]

  = grub2 =

  Booting unsigned kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)

  Booting signed kernels:
  1) Try to boot an official signed kernel (from -release or -updates)
  2) Verify that the system boots normally and no warnings are shown about signature.

  
  [Regression Potential]
  Any failure to boot presenting as a failure to load the kernel from within grub, with an "invalid signature" type error message or not, should be investigated as a potential regression of this stable update.

  ---

  Me and some other students have conducted some various experiments on
  Secure Boot enabled machines. The main focus of the tests was to
  circumvent Secure Boot and load unsigned kernels or kernels that have
  been signed with other keys.

  On your SecureBoot (https://wiki.ubuntu.com/SecurityTeam/SecureBoot)
  it is outlined that GRUB will boot unsigned kernels when the kernel is
  unsigned. During one of our experiments it seemed that this statement
  was true and that GRUB loads unsigned kernels as described on your
  page. We understand that for various reasons GRUB should still support
  the use-case when an unsigned kernel must be loaded, but with the
  current approach the user isn't aware if there is a whole chain of
  trust. For example, it could still be possible to load some malware
  before it boots the Operating System itself (bootkits). One of the
  many reasons that Secure Boot has been developed is to protect the
  user from these kind of attacks.

  With the current approach the purpose of Secure Boot is somewhat
  defeated, and the user doesn't know if the whole chain has been
  verified or not. It could easily be the case that an unsigned kernel
  has been loaded by Ubuntu without the user noticing. From our point of
  view, a better approach would be to inform the user that an unsigned
  kernel will be loaded and that the user can make a choice if he/she
  wants to proceed. The default action could be to accept the option,
  remember the user's option and sometimes remind the user of the fact
  that it is loading an unsigned kernel.

  This problem is of course related to GRUB itself and not to Ubuntu
  itself. The reason for filing this bug and informing the SecurityTeam
  of Ubuntu is to ask for their opinions and what your point of view is
  on the current approach and to see if other users classify this as a
  "bug".

  GRUB2 versions: grub-2.02~beta2, 1.34.1+2.02~beta2-9ubuntu1
  Ubuntu version: Trusty (will also affect newer and older versions, GRUB specific problem)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532/+subscriptions