On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote:
security@ and security-team@ have no meaningful activity in at least
the last 6 months so I'm posting this here.
grub2 incorrectly initialises the boot_params from the kernel image
https://bugzilla.redhat.com/show_bug.cgi?id=1418360
The gist is that the bug means the kernel can't determine UEFI secure
boot state, considers it not enabled, resulting in the kernel not
enabling certain checks it otherwise does when it knows secure boot is
enabled. Ergo, users who have secure boot enabled are not getting the
full benefit of secure boot, and this fallback is pretty much silent
(you'd have to be looking at kernel messages to know you're not
protected).
Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It
was proposed as a blocker bug, bug was rejected because it doesn't
have a formal security evaluation.
However, Fedora 24 didn't get the fix before going EOL. And Fedora 25
and Rawhide both still have this problem. And I think it needs
attention.
My understanding is that dhowells was going to revert part of the kernel
change that led to this in F25. I didn't realize we'd pushed the
problem back to F24 as well, so I guess we ought to solve it there
before it's too late.
For rawhide I've built the fixed grub2 package. I guess I can build one
for F24 and F25 as well, though I was hoping this would be solved by the
kernel not breaking our expectations.
--
Peter