[Bug 842144] New: Secure-boot is useless
https://bugzilla.novell.com/show_bug.cgi?id=842144 https://bugzilla.novell.com/show_bug.cgi?id=842144#c0 Summary: Secure-boot is useless Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: x86-64 OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Bootloader AssignedTo: jsrain@suse.com ReportedBy: nrickert@ameritech.net QAContact: jsrain@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 I made that comment about secure-boot in a forum post http://forums.opensuse.org/english/get-technical-help-here/install-boot-logi... (see comment #21) after describing how I was "cheating" to enable me to boot 13.1. Briefly, I changed grub.cfg as follows: s/linuxefi/linux/ s/initrdefi/initrd/ and that bypasses checking of the signature of the kernel. arvidjaar (Andrey) asked me to post a bug report to have a place for discussion. I'll flag this as an enhancement request for the moment. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c1
--- Comment #1 from Neil Rickert
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c2
Andrey Borzenkov
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c
Jiri Srain
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c3
--- Comment #3 from Michael Chang
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c4
--- Comment #4 from Andrey Borzenkov
Recent grub2-secureboot-no-insmod-on-sb.patch has been refreshed and your trick will no longer work for new factory installation.
IIRC Neil was having this problem in 13.1B1 which should already include this patch? Neil, which exact version of grub2 do you have? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c5
Neil Rickert
Neil, which exact version of grub2 do you have?
That trick was with the grub2-efi from 12.3. I can't get the grub from 13.1 to do anything unless I disable secure-boot. In "insmod" really disabled -- perhaps that's part of the problem. In my opinion, it should be checking the validity of insmod loads (either a signature verification or file hash check from a compiled-in list of hashes). I note that the entry to start Windows uses some "insmod" lines. I am not sure to what extent UUID searches depend on "insmod", but if they do then that could also pose a problem with blocking "insmod". I cannot rely on lines such as "set root='hd0,gpt1'". That particular one probably works. But the BIOS hard disk numbering on my box depends on whether a USB disk is plugged in. And on the first boot after install from a USB, there is likely to be a USB flash drive plugged in.
I would not call it enhancement
I'll see if I can change that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c6
--- Comment #6 from Andrey Borzenkov
That trick was with the grub2-efi from 12.3.
You filed bug against 13.1 Unless you can reproduce it with grub from that version, the bug should be closed as invalid.
In "insmod" really disabled -- perhaps that's part of the problem. In my opinion, it should be checking the validity of insmod loads (either a signature verification or file hash check from a compiled-in list of hashes).
Current grub2 supports (mandatory) signature verification. Minor details are key management and what to do with volatile files (grub.cfg, grubenv and similar) :) But this better is discussed in feature request.
I am not sure to what extent UUID searches depend on "insmod",
Signed grub binary includes support for UUID search. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c7
--- Comment #7 from Michael Chang
Current grub2 supports (mandatory) signature verification. Minor details are key management and what to do with volatile files (grub.cfg, grubenv and similar) :) But this better is discussed in feature request.
IT be a rather big topic. :) I can imagine two of them here .. :) 1. shim might have to offer MOKx to blacklist MOK or hash of binary, therefore if we fix or improve any vulnerability in bootloader (like this case), then it's possible to have a new cert and blacklist the old one (there's seems to be progress or directing on this in upstream shim ..). 2. grub2 is possible to load signed module and signed grubenv file. Well, as long as grub2 only accept gpg signing keys and tools I don't know how can it be integrated to MOK keyrings and probably potential license issues on different crypto implementations etc (openssl/gpg/nss). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c8
--- Comment #8 from Neil Rickert
the bug should be closed as invalid. (c #6 )
I won't change it until I have tested a working 13.1 (secure-boot working). I hope I'll see that with RC1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=842144
https://bugzilla.novell.com/show_bug.cgi?id=842144#c9
Neil Rickert
participants (1)
-
bugzilla_noreply@novell.com