[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole

From: John Paul Adrian Glaubitz
Subject: Re: [SECURITY PATCH 00/28] Multiple GRUB2 vulnerabilities - BootHole
Date: Wed, 29 Jul 2020 23:33:27 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0

Hi Dimitri!

On 7/29/20 11:20 PM, Dimitri John Ledkov wrote:
> Disclosures were done to a subset of binary distributions that have a
> trust path to shims signed with Microsoft UEFI CA 2011 db key. Arch
> Linux does not provide shim-signed with keys controlled by Arch Linux
> and it doesn't provide pre-signed secureboot kernels.
> Reading Arch Linux documentation it seems that Fedora's shim is used
> together with self-signed Mok Keys.
> Mitigation strategy for Arch Linux will then be quite different to
> everyone else:
> 1) Update to new shim from fedora when available, as previous ones are
> going to be revoked by the dbxupdate from
> 2) Patch Archlinux grub
> 3) Patch Archilinux kernel for lockdown bypass
> 4) Generate new MOK key, enroll it into MOK
> 5) Sign patched grub/kernel with the new MOK key
> 6) Provide instructions for users to revoke their old key via MOKX,
> i.e. use mokutil --mokx --import existing cert; or for example delete
> the old key from MOK with --delete old-cert.der
> This is just a rough guideline, please analyze how signing keys are
> controlled and used on typical Arch Linux deployment and adjust things
> to taste.
> The key point is to rotate the signing key used for
> shim/grub/kernel/fwupd, only use the new key to sign fixed things, and
> ensure that old key is no longer trusted (removed from MOK, or added
> to MOKX).

Thanks for describing the detailed procedure, very informative.


 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer -
`. `'   Freie Universitaet Berlin -
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

reply via email to

[Prev in Thread] Current Thread [Next in Thread]