Your message dated Sun, 23 Jun 2024 18:15:16 +0200 with message-id <2b8db8bdd94021516f0c80dc8ad1d90f8e82822c.camel@decadent.org.uk> and subject line Re: linux-base: Presence of GPG signatures in /boot causes wrong kernels to be listed with linux-version has caused the Debian Bug report #1035118, regarding linux-base: Presence of GPG signatures in /boot causes wrong kernels to be listed with linux-version to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1035118: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1035118 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: linux-base: Presence of GPG signatures in /boot causes wrong kernels to be listed with linux-version
- From: abrasamji <debian.627of@simplelogin.com>
- Date: Sat, 29 Apr 2023 19:59:51 -0400
- Message-id: <168281279186.68496.2049752509615399879.reportbug@Alex-LT-2.internal.alexridevski.net>
Package: linux-base Version: 4.6 Severity: important X-Debbugs-Cc: debian.627of@simplelogin.com Dear Maintainer, Grub2 supports additional secure boot capabilities that are not commonly used but are required for security. These new features are being referenced in some security guides online. An end user may sign their initrd.img and vmlinuz files with a GPG detached signature. See Grub2's manual, section 18.2 "Using digital signatures in GRUB" for details. Presence of these detached signatures causes the "linux-version" script to return the .sig files as valid kernels. Thus, when something runs update-initramfs -u (which calls "linux-version list"), the initramfs script will ingest the output from linux-version and overwrite an initrd.sig file with an initramfs, as well as several other negative effects from not having the proper kernel modules available. The impact is an unbootable system, where Grub attempts to boot the correct kernel, but the initrd.img is not updated with new data, and the signature for the original initrd.img is overwritten with improper data. System can be recovered by picking an old kernel in the grub bootloader. Thank you -- System Information: Debian Release: 11.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bullseye-fasttrack') Architecture: amd64 (x86_64) Kernel: Linux 6.2.13-stripes-1-s-1.58 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_RANDSTRUCT Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages linux-base depends on: ii debconf [debconf-2.0] 1.5.77 linux-base recommends no packages. linux-base suggests no packages. -- debconf information: linux-base/removing-title: linux-base/removing-running-kernel: true
--- End Message ---
--- Begin Message ---
- To: 1035118-done@bugs.debian.org
- Subject: Re: linux-base: Presence of GPG signatures in /boot causes wrong kernels to be listed with linux-version
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Sun, 23 Jun 2024 18:15:16 +0200
- Message-id: <2b8db8bdd94021516f0c80dc8ad1d90f8e82822c.camel@decadent.org.uk>
- In-reply-to: <168281279186.68496.2049752509615399879.reportbug@Alex-LT-2.internal.alexridevski.net>
- References: <168281279186.68496.2049752509615399879.reportbug@Alex-LT-2.internal.alexridevski.net>
Version: 4.9 On Sat, 29 Apr 2023 19:59:51 -0400 abrasamji <debian.627of@simplelogin.com> wrote: > Package: linux-base > Version: 4.6 > Severity: important > X-Debbugs-Cc: debian.627of@simplelogin.com > > Dear Maintainer, > > Grub2 supports additional secure boot capabilities that are not commonly used but are required for security. These new features are being referenced in some security guides online. An end user may sign their initrd.img and vmlinuz files with a GPG detached signature. See Grub2's manual, section 18.2 "Using digital signatures in GRUB" for details. > > Presence of these detached signatures causes the "linux-version" script to return the .sig files as valid kernels. Thus, when something runs update-initramfs -u (which calls "linux-version list"), the initramfs script will ingest the output from linux-version and overwrite an initrd.sig file with an initramfs, as well as several other negative effects from not having the proper kernel modules available. > > The impact is an unbootable system, where Grub attempts to boot the correct kernel, but the initrd.img is not updated with new data, and the signature for the original initrd.img is overwritten with improper data. System can be recovered by picking an old kernel in the grub bootloader. This is a duplicate of #906873 which was already fixed. Ben. -- Ben Hutchings You can't have everything. Where would you put it?Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---