Re: Need to disable the devicetree command in Secure Boot mode

To: 927888@bugs.debian.org
Cc: debian-efi@lists.debian.org
Subject: Re: Need to disable the devicetree command in Secure Boot mode
From: Steve McIntyre <steve@einval.com>
Date: Wed, 24 Apr 2019 17:37:24 +0100
Message-id: <[🔎] 20190424163724.GC1624@tack.einval.com>
In-reply-to: <[🔎] 155612316022.19421.6644008913351404623.reportbug@tack.local>
References: <[🔎] 155612316022.19421.6644008913351404623.reportbug@tack.local>

On Wed, Apr 24, 2019 at 05:26:00PM +0100, Steve McIntyre wrote:
>Source: grub2
>Version: 2.02+dfsg1-16
>Severity: serious
>Tags: security
>
>In discussion with upstream EFI and arm64 folks, it's become clear
>that in SB mode we should also be disabling the devicetree command in
>Secure Boot mode. I'm testing a patch right now, coming shortly.

We should also blacklist any of our old grub-efi-arm64-signed binaries
signed with our production key - this is a real hole that can totally
undermine SB. I'll work out how to do that for the next shim upload,
due in the next couple of days.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
          note stuck to the mini-bar saying "Paul: This fridge and
          fittings are the correct way around and do not need altering"

Reply to:

References:
- Bug#927888: Need to disable the devicetree command in Secure Boot mode
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#927888: Need to disable the devicetree command in Secure Boot mode
Next by Date: Bug#928107: shim-signed: FTBFS in buster (unmet build-depends)
Previous by thread: Bug#927888: Need to disable the devicetree command in Secure Boot mode
Next by thread: Bug#928107: shim-signed: FTBFS in buster (unmet build-depends)
Index(es):
- Date
- Thread