Bug#927888: Need to disable the devicetree command in Secure Boot mode

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#927888: Need to disable the devicetree command in Secure Boot mode
From: Steve McIntyre <steve@einval.com>
Date: Wed, 24 Apr 2019 17:26:00 +0100
Message-id: <[🔎] 155612316022.19421.6644008913351404623.reportbug@tack.local>
Reply-to: Steve McIntyre <steve@einval.com>, 927888@bugs.debian.org

Source: grub2
Version: 2.02+dfsg1-16
Severity: serious
Tags: security

In discussion with upstream EFI and arm64 folks, it's become clear
that in SB mode we should also be disabling the devicetree command in
Secure Boot mode. I'm testing a patch right now, coming shortly.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Re: Need to disable the devicetree command in Secure Boot mode
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#921760: marked as done (shim-signed: FTBFS (shimx64.efi.signed build/shimx64.efi.signed differ))
Next by Date: Re: Need to disable the devicetree command in Secure Boot mode
Previous by thread: Bug#921760: marked as done (shim-signed: FTBFS (shimx64.efi.signed build/shimx64.efi.signed differ))
Next by thread: Re: Need to disable the devicetree command in Secure Boot mode
Index(es):
- Date
- Thread