[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Need to disable the devicetree command in Secure Boot mode

On Wed, Apr 24, 2019 at 05:26:00PM +0100, Steve McIntyre wrote:
>Source: grub2
>Version: 2.02+dfsg1-16
>Severity: serious
>Tags: security
>In discussion with upstream EFI and arm64 folks, it's become clear
>that in SB mode we should also be disabling the devicetree command in
>Secure Boot mode. I'm testing a patch right now, coming shortly.

We should also blacklist any of our old grub-efi-arm64-signed binaries
signed with our production key - this is a real hole that can totally
undermine SB. I'll work out how to do that for the next shim upload,
due in the next couple of days.

Steve McIntyre, Cambridge, UK.                                steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
          note stuck to the mini-bar saying "Paul: This fridge and
          fittings are the correct way around and do not need altering"

Reply to: