From: Dimitri John Ledkov <xnox@ubuntu.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Cc: Christian Hesse <list@eworm.de>, Daniel Kiper <daniel.kiper@oracle.com>
Subject: Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Date: Wed, 29 Jul 2020 22:20:01 +0100 [thread overview]
Message-ID: <CANBHLUimFurvaVO7wkHJtME91UsfdC3=p-TmiAej2id3cJDEYQ@mail.gmail.com> (raw)
In-Reply-To: <fdf16dec-ee5e-3f1e-5993-bf765b304589@physik.fu-berlin.de>
On Wed, 29 Jul 2020 at 21:20, John Paul Adrian Glaubitz
<glaubitz@physik.fu-berlin.de> wrote:
>
> On 7/29/20 10:12 PM, Christian Hesse wrote:
> > This does not apply on top of grub 2.04. Will downstream maintainers have to
> > do their cherry-picking on its own or will a maintenance branch on top of
> > grub-2.04 (or what ever) be available?
> > I would like to push updates to the Arch Linux repositories.
>
> You may want to look at the Debian package which already has the patches
> applied in Debian unstable [1].
>
> I'm surprised that Arch did not receive a disclosure of the vulnerabilities
> under NDA since Debian and the various enterprise distributions have it
> already.
Disclosures were done to a subset of binary distributions that have a
trust path to shims signed with Microsoft UEFI CA 2011 db key. Arch
Linux does not provide shim-signed with keys controlled by Arch Linux
and it doesn't provide pre-signed secureboot kernels.
Reading Arch Linux documentation it seems that Fedora's shim is used
together with self-signed Mok Keys.
Mitigation strategy for Arch Linux will then be quite different to
everyone else:
1) Update to new shim from fedora when available, as previous ones are
going to be revoked by the dbxupdate from uefi.org
2) Patch Archlinux grub
3) Patch Archilinux kernel for lockdown bypass
4) Generate new MOK key, enroll it into MOK
5) Sign patched grub/kernel with the new MOK key
6) Provide instructions for users to revoke their old key via MOKX,
i.e. use mokutil --mokx --import existing cert; or for example delete
the old key from MOK with --delete old-cert.der
This is just a rough guideline, please analyze how signing keys are
controlled and used on typical Arch Linux deployment and adjust things
to taste.
The key point is to rotate the signing key used for
shim/grub/kernel/fwupd, only use the new key to sign fixed things, and
ensure that old key is no longer trusted (removed from MOK, or added
to MOKX).
--
Regards,
Dimitri.
next prev parent reply other threads:[~2020-07-29 21:20 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-29 17:00 [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 01/28] yylex: Make lexer fatal errors actually be fatal Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 02/28] safemath: Add some arithmetic primitives that check for overflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 03/28] calloc: Make sure we always have an overflow-checking calloc() available Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 04/28] calloc: Use calloc() at most places Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 05/28] malloc: Use overflow checking primitives where we do complex allocations Daniel Kiper
2021-09-10 16:10 ` Glenn Washburn
2020-07-29 17:00 ` [SECURITY PATCH 06/28] iso9660: Don't leak memory on realloc() failures Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 07/28] font: Do not load more than one NAME section Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 08/28] gfxmenu: Fix double free in load_image() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 09/28] xnu: Fix double free in grub_xnu_devprop_add_property() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 10/28] json: Avoid a double-free when parsing fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 11/28] lzma: Make sure we don't dereference past array Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 12/28] term: Fix overflow on user inputs Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 13/28] udf: Fix memory leak Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 14/28] multiboot2: Fix memory leak if grub_create_loader_cmdline() fails Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 15/28] tftp: Do not use priority queue Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 16/28] relocator: Protect grub_relocator_alloc_chunk_addr() input args against integer underflow/overflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 17/28] relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 18/28] script: Remove unused fields from grub_script_function struct Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 19/28] script: Avoid a use-after-free when redefining a function during execution Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 20/28] relocator: Fix grub_relocator_alloc_chunk_align() top memory allocation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 21/28] hfsplus: Fix two more overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 22/28] lvm: Fix two more potential data-dependent alloc overflows Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 23/28] emu: Make grub_free(NULL) safe Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 24/28] efi: Fix some malformed device path arithmetic errors Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 25/28] efi/chainloader: Propagate errors from copy_file_path() Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 26/28] efi: Fix use-after-free in halt/reboot path Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 27/28] loader/linux: Avoid overflow on initrd size calculation Daniel Kiper
2020-07-29 17:00 ` [SECURITY PATCH 28/28] linux: Fix integer overflows in initrd size handling Daniel Kiper
2020-07-29 20:12 ` [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole Christian Hesse
2020-07-29 20:20 ` John Paul Adrian Glaubitz
2020-07-29 21:20 ` Dimitri John Ledkov [this message]
2020-07-29 21:33 ` John Paul Adrian Glaubitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANBHLUimFurvaVO7wkHJtME91UsfdC3=p-TmiAej2id3cJDEYQ@mail.gmail.com' \
--to=xnox@ubuntu.com \
--cc=daniel.kiper@oracle.com \
--cc=grub-devel@gnu.org \
--cc=list@eworm.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.