Ubuntu CVE Tracker

Merge ~eslerm/ubuntu-cve-tracker:grub2-boilerplate into ubuntu-cve-tracker:master

  1. Git
  2. lp:~eslerm/ubuntu-cve-tracker
  3. grub2-boilerplate
  4. Merge into master
Proposed by Mark Esler
Status: Merged
Merged at revision: b483091a646c3b09805831b449cac5fd66d6e547
Proposed branch: ~eslerm/ubuntu-cve-tracker:grub2-boilerplate
Merge into: ubuntu-cve-tracker:master
Diff against target: 162 lines (+122/-0)
6 files modified
boilerplates/grub2 (+61/-0)
boilerplates/grub2-signed (+1/-0)
boilerplates/grub2-unsigned (+1/-0)
boilerplates/secureboot-db (+57/-0)
boilerplates/shim (+1/-0)
boilerplates/shim-signed (+1/-0)
Reviewer Review Type Date Requested Status
Chris Coulson Approve
Steve Langasek (community) Approve
Alex Murray Pending
Dimitri John Ledkov Pending
Steve Beattie Pending
Review via email: mp+447456@code.launchpad.net

Commit message

grub2* boilerplate init

trusty/esm_grub2 and trusty/esm_grub2-unsigned require a justification. This justification should be in the UEFI meeting notes from 2022-09-22, but I need access.

xnox suggested tracking secureboot-db on all grub cves. grub vulnerabilities and loading vulnerable-non-revoked software are separate issues, so I made separate boilerplate.

However, the importance of secureboot-db cannot be lost. An evil housekeeper attack becomes possible as soon as *a* bypass (CVE) is found in grub2-current and this is not resolved until old keys are revoked. We have no tooling to track when this occurs. (there has never been a -security release for secureboot-db)

To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

shim should also be tracked

Revision history for this message
Mark Esler (eslerm) wrote :

CVE-2020-15705 [0] and CVE-2021-3418 [1] are duplicates, except they are related to Grub prior to 2.04 and 2.06 respectively. Each are for evil housekeeper attacks based on shims (i.e., BlackLotus like). They are assigned after a grub2 CVE is discovered in the previous version.

These CVEs should be used to track secureboot-db and shim.

Canonical is the CNA for CVE-2020-15705. I believe we need to amend our CVE publication. CVE-2021-3418 was assigned by RedHat and follows the previous CVEs description. Ubuntu is affected by both, but UCT does not track this yet.

Tooling is needed to explain the difference between grub2 and secureboot-db differences to CVE triagers.

[0] https://nvd.nist.gov/vuln/detail/CVE-2020-15705
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3418

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> trusty/esm_grub2: ignored (JUSTIFICATION NEEDED)

We cannot update secureboot-db because it would invalidate installer media, just like other ESM. We cannot update to new signing keys of kernel for trusty because GA trusty kernel lacks features needed by the new keys signing policies. This leaves grub as pointless to update, sort of, as it can be always circumvented. Separately secureboot on servers on Trusty is rarely used, making patching it sort of useless too. In essence it is patching grub in trusty would only give a false sense of security.

We could upgrade grub2 to the new grub2-unsigned split. But that doesn't solve the installer problem.

I agree with everything else in the templates. I wonder if trusty ones need unique explanation or assesment. Or like case by case patching only if it affects secureboot.

Revision history for this message
Mark Esler (eslerm) wrote :

> In essence it is patching grub in trusty would only give a false sense of security.

This is true for xenial too, except kernel support is not a factor.

On one hand, I would like to patch all the holes in the fence even if the gate is open. Potentially, someone could use a fresh key to lock the gate. On the other hand, this effort could be placed elsewhere. There is little demand for custom keys.

Revision history for this message
Mark Esler (eslerm) wrote :

The only case I have heard of others signing their own keys for Ubuntu Secure Boot are interested in the latest FIPS support. The scenario is unlikely and, when it does occur, is unlikely to use ESM.

Revision history for this message
Steve Langasek (vorlon) :
review: Approve
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This looks ok - I've added a couple of minor comments.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/boilerplates/grub2 b/boilerplates/grub2
2new file mode 100644
3index 0000000..d0926e1
4--- /dev/null
5+++ b/boilerplates/grub2
6@@ -0,0 +1,61 @@
7+Candidate:
8+PublicDate:
9+References:
10+Description:
11+Ubuntu-Description:
12+Notes:
13+ eslerm> grub2-unsigned contains Secure Boot security fixes
14+ eslerm> the grub2 package unlikely affects Ubuntu's Secure Boot
15+ eslerm> grub2 and grub2-unsigned should have same major version
16+ eslerm> Ubuntu Secure Boot and ESM do not cover i386
17+ eslerm> trusty's GA kernel cannot handle new versions of grub
18+ eslerm| Note that key revocation is required to protect against
19+ evil housekeeper attacks (such as BlackLotus)
20+Mitigation:
21+Bugs:
22+Priority: untriaged
23+Discovered-by:
24+Assigned-to:
25+CVSS:
26+
27+Patches_grub2:
28+upstream_grub2: needs-triage
29+trusty_grub2: ignored (end of standard support)
30+trusty/esm_grub2: ignored (update incompatible with kernel)
31+xenial_grub2: ignored (end of standard support)
32+esm-infra/xenial_grub2: needs-triage
33+bionic_grub2: ignored (end of standard support)
34+esm-infra/bionic_grub2: needs-triage
35+focal_grub2: needs-triage
36+jammy_grub2: needs-triage
37+kinetic_grub2: needs-triage
38+lunar_grub2: needs-triage
39+devel_grub2: needs-triage
40+
41+Patches_grub2-unsigned:
42+upstream_grub2-unsigned: needs-triage
43+trusty_grub2-unsigned: ignored (end of standard support)
44+trusty/esm_grub2-unsigned: ignored (update incompatible with kernel)
45+xenial_grub2-unsigned: ignored (end of standard support)
46+esm-infra/xenial_grub2-unsigned: needs-triage
47+bionic_grub2-unsigned: ignored (end of standard support)
48+esm-infra/bionic_grub2-unsigned: needs-triage
49+focal_grub2-unsigned: needs-triage
50+jammy_grub2-unsigned: needs-triage
51+kinetic_grub2-unsigned: needs-triage
52+lunar_grub2-unsigned: needs-triage
53+devel_grub2-unsigned: needs-triage
54+
55+Patches_grub2-signed:
56+upstream_grub2-signed: needs-triage
57+trusty_grub2-signed: DNE
58+trusty/esm_grub2-signed: DNE
59+xenial_grub2-signed: ignored (end of standard support)
60+esm-infra/xenial_grub2-signed: needs-triage
61+bionic_grub2-signed: ignored (end of standard support)
62+esm-infra/bionic_grub2-signed: needs-triage
63+focal_grub2-signed: needs-triage
64+jammy_grub2-signed: needs-triage
65+kinetic_grub2-signed: needs-triage
66+lunar_grub2-signed: needs-triage
67+devel_grub2-signed: needs-triage
68diff --git a/boilerplates/grub2-signed b/boilerplates/grub2-signed
69new file mode 120000
70index 0000000..d0335b0
71--- /dev/null
72+++ b/boilerplates/grub2-signed
73@@ -0,0 +1 @@
74+grub2
75\ No newline at end of file
76diff --git a/boilerplates/grub2-unsigned b/boilerplates/grub2-unsigned
77new file mode 120000
78index 0000000..d0335b0
79--- /dev/null
80+++ b/boilerplates/grub2-unsigned
81@@ -0,0 +1 @@
82+grub2
83\ No newline at end of file
84diff --git a/boilerplates/secureboot-db b/boilerplates/secureboot-db
85new file mode 100644
86index 0000000..5dcf370
87--- /dev/null
88+++ b/boilerplates/secureboot-db
89@@ -0,0 +1,57 @@
90+Candidate:
91+PublicDate:
92+References:
93+Description:
94+Ubuntu-Description:
95+Notes:
96+ eslerm> secureboot-db should only ever be updated after shim
97+ eslerm| secureboot-db is not updated on ESM releases as doing so
98+ would revoke install media keys
99+ eslerm| Note that key revocation is required to protect against
100+ evil housekeeper attacks (such as BlackLotus)
101+Mitigation:
102+Bugs:
103+Priority: untriaged
104+Discovered-by:
105+Assigned-to:
106+CVSS:
107+
108+Patches_secureboot-db:
109+upstream_secureboot-db: needs-triage
110+trusty_secureboot-db: ignored (end of standard support)
111+trusty/esm_secureboot-db: ignored (install media keys will never be revoked)
112+xenial_secureboot-db: ignored (end of standard support)
113+esm-infra/xenial_secureboot-db: ignored (install media keys will never be revoked)
114+bionic_secureboot-db: ignored (end of standard support)
115+esm-infra/bionic_secureboot-db: needs-triage
116+focal_secureboot-db: needs-triage
117+jammy_secureboot-db: needs-triage
118+kinetic_secureboot-db: needs-triage
119+lunar_secureboot-db: needs-triage
120+devel_secureboot-db: needs-triage
121+
122+Patches_shim-signed:
123+upstream_shim-signed: needs-triage
124+trusty_shim-signed: ignored (end of standard support)
125+trusty/esm_shim-signed: ignored (install media keys will never be revoked)
126+xenial_shim-signed: ignored (end of standard support)
127+esm-infra/xenial_shim-signed: ignored (install media keys will never be revoked)
128+bionic_shim-signed: ignored (end of standard support)
129+esm-infra/bionic_shim-signed: needs-triage
130+focal_shim-signed: needs-triage
131+jammy_shim-signed: needs-triage
132+lunar_shim-signed: needs-triage
133+devel_shim-signed: needs-triage
134+
135+Patches_shim:
136+upstream_shim: needs-triage
137+trusty_shim: ignored (end of standard support)
138+trusty/esm_shim: ignored (install media keys will never be revoked)
139+xenial_shim: ignored (end of standard support)
140+esm-infra/xenial_shim: ignored (install media keys will never be revoked)
141+bionic_shim: ignored (end of standard support)
142+esm-infra/bionic_shim: needs-triage
143+focal_shim: needs-triage
144+jammy_shim: needs-triage
145+lunar_shim: needs-triage
146+devel_shim: needs-triage
147diff --git a/boilerplates/shim b/boilerplates/shim
148new file mode 120000
149index 0000000..0eead1e
150--- /dev/null
151+++ b/boilerplates/shim
152@@ -0,0 +1 @@
153+secureboot-db
154\ No newline at end of file
155diff --git a/boilerplates/shim-signed b/boilerplates/shim-signed
156new file mode 120000
157index 0000000..0eead1e
158--- /dev/null
159+++ b/boilerplates/shim-signed
160@@ -0,0 +1 @@
161+secureboot-db
162\ No newline at end of file

Subscribers

People subscribed via source and target branches