Ubuntu CVE Tracker

Merge ~eslerm/ubuntu-cve-tracker:grub2-boilerplate into ubuntu-cve-tracker:master

  1. Git
  2. lp:~eslerm/ubuntu-cve-tracker
  3. grub2-boilerplate
  4. Merge into master
Proposed by Mark Esler
Status: Merged
Merged at revision: b483091a646c3b09805831b449cac5fd66d6e547
Proposed branch: ~eslerm/ubuntu-cve-tracker:grub2-boilerplate
Merge into: ubuntu-cve-tracker:master
Diff against target: 162 lines (+122/-0)
6 files modified
boilerplates/grub2 (+61/-0)
boilerplates/grub2-signed (+1/-0)
boilerplates/grub2-unsigned (+1/-0)
boilerplates/secureboot-db (+57/-0)
boilerplates/shim (+1/-0)
boilerplates/shim-signed (+1/-0)
Reviewer Review Type Date Requested Status
Chris Coulson Approve
Steve Langasek (community) Approve
Alex Murray Pending
Dimitri John Ledkov Pending
Steve Beattie Pending
Review via email: mp+447456@code.launchpad.net

Commit message

grub2* boilerplate init

trusty/esm_grub2 and trusty/esm_grub2-unsigned require a justification. This justification should be in the UEFI meeting notes from 2022-09-22, but I need access.

xnox suggested tracking secureboot-db on all grub cves. grub vulnerabilities and loading vulnerable-non-revoked software are separate issues, so I made separate boilerplate.

However, the importance of secureboot-db cannot be lost. An evil housekeeper attack becomes possible as soon as *a* bypass (CVE) is found in grub2-current and this is not resolved until old keys are revoked. We have no tooling to track when this occurs. (there has never been a -security release for secureboot-db)

To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

shim should also be tracked

Revision history for this message
Mark Esler (eslerm) wrote :

CVE-2020-15705 [0] and CVE-2021-3418 [1] are duplicates, except they are related to Grub prior to 2.04 and 2.06 respectively. Each are for evil housekeeper attacks based on shims (i.e., BlackLotus like). They are assigned after a grub2 CVE is discovered in the previous version.

These CVEs should be used to track secureboot-db and shim.

Canonical is the CNA for CVE-2020-15705. I believe we need to amend our CVE publication. CVE-2021-3418 was assigned by RedHat and follows the previous CVEs description. Ubuntu is affected by both, but UCT does not track this yet.

Tooling is needed to explain the difference between grub2 and secureboot-db differences to CVE triagers.

[0] https://nvd.nist.gov/vuln/detail/CVE-2020-15705
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-3418

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> trusty/esm_grub2: ignored (JUSTIFICATION NEEDED)

We cannot update secureboot-db because it would invalidate installer media, just like other ESM. We cannot update to new signing keys of kernel for trusty because GA trusty kernel lacks features needed by the new keys signing policies. This leaves grub as pointless to update, sort of, as it can be always circumvented. Separately secureboot on servers on Trusty is rarely used, making patching it sort of useless too. In essence it is patching grub in trusty would only give a false sense of security.

We could upgrade grub2 to the new grub2-unsigned split. But that doesn't solve the installer problem.

I agree with everything else in the templates. I wonder if trusty ones need unique explanation or assesment. Or like case by case patching only if it affects secureboot.

Revision history for this message
Mark Esler (eslerm) wrote :

> In essence it is patching grub in trusty would only give a false sense of security.

This is true for xenial too, except kernel support is not a factor.

On one hand, I would like to patch all the holes in the fence even if the gate is open. Potentially, someone could use a fresh key to lock the gate. On the other hand, this effort could be placed elsewhere. There is little demand for custom keys.

Revision history for this message
Mark Esler (eslerm) wrote :

The only case I have heard of others signing their own keys for Ubuntu Secure Boot are interested in the latest FIPS support. The scenario is unlikely and, when it does occur, is unlikely to use ESM.

Revision history for this message
Steve Langasek (vorlon) :
review: Approve
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

This looks ok - I've added a couple of minor comments.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/boilerplates/grub2 b/boilerplates/grub2
0new file mode 1006440new file mode 100644
index 0000000..d0926e1
--- /dev/null
+++ b/boilerplates/grub2
@@ -0,0 +1,61 @@
1Candidate:
2PublicDate:
3References:
4Description:
5Ubuntu-Description:
6Notes:
7 eslerm> grub2-unsigned contains Secure Boot security fixes
8 eslerm> the grub2 package unlikely affects Ubuntu's Secure Boot
9 eslerm> grub2 and grub2-unsigned should have same major version
10 eslerm> Ubuntu Secure Boot and ESM do not cover i386
11 eslerm> trusty's GA kernel cannot handle new versions of grub
12 eslerm| Note that key revocation is required to protect against
13 evil housekeeper attacks (such as BlackLotus)
14Mitigation:
15Bugs:
16Priority: untriaged
17Discovered-by:
18Assigned-to:
19CVSS:
20
21Patches_grub2:
22upstream_grub2: needs-triage
23trusty_grub2: ignored (end of standard support)
24trusty/esm_grub2: ignored (update incompatible with kernel)
25xenial_grub2: ignored (end of standard support)
26esm-infra/xenial_grub2: needs-triage
27bionic_grub2: ignored (end of standard support)
28esm-infra/bionic_grub2: needs-triage
29focal_grub2: needs-triage
30jammy_grub2: needs-triage
31kinetic_grub2: needs-triage
32lunar_grub2: needs-triage
33devel_grub2: needs-triage
34
35Patches_grub2-unsigned:
36upstream_grub2-unsigned: needs-triage
37trusty_grub2-unsigned: ignored (end of standard support)
38trusty/esm_grub2-unsigned: ignored (update incompatible with kernel)
39xenial_grub2-unsigned: ignored (end of standard support)
40esm-infra/xenial_grub2-unsigned: needs-triage
41bionic_grub2-unsigned: ignored (end of standard support)
42esm-infra/bionic_grub2-unsigned: needs-triage
43focal_grub2-unsigned: needs-triage
44jammy_grub2-unsigned: needs-triage
45kinetic_grub2-unsigned: needs-triage
46lunar_grub2-unsigned: needs-triage
47devel_grub2-unsigned: needs-triage
48
49Patches_grub2-signed:
50upstream_grub2-signed: needs-triage
51trusty_grub2-signed: DNE
52trusty/esm_grub2-signed: DNE
53xenial_grub2-signed: ignored (end of standard support)
54esm-infra/xenial_grub2-signed: needs-triage
55bionic_grub2-signed: ignored (end of standard support)
56esm-infra/bionic_grub2-signed: needs-triage
57focal_grub2-signed: needs-triage
58jammy_grub2-signed: needs-triage
59kinetic_grub2-signed: needs-triage
60lunar_grub2-signed: needs-triage
61devel_grub2-signed: needs-triage
diff --git a/boilerplates/grub2-signed b/boilerplates/grub2-signed
0new file mode 12000062new file mode 120000
index 0000000..d0335b0
--- /dev/null
+++ b/boilerplates/grub2-signed
@@ -0,0 +1 @@
1grub2
0\ No newline at end of file2\ No newline at end of file
diff --git a/boilerplates/grub2-unsigned b/boilerplates/grub2-unsigned
1new file mode 1200003new file mode 120000
index 0000000..d0335b0
--- /dev/null
+++ b/boilerplates/grub2-unsigned
@@ -0,0 +1 @@
1grub2
0\ No newline at end of file2\ No newline at end of file
diff --git a/boilerplates/secureboot-db b/boilerplates/secureboot-db
1new file mode 1006443new file mode 100644
index 0000000..5dcf370
--- /dev/null
+++ b/boilerplates/secureboot-db
@@ -0,0 +1,57 @@
1Candidate:
2PublicDate:
3References:
4Description:
5Ubuntu-Description:
6Notes:
7 eslerm> secureboot-db should only ever be updated after shim
8 eslerm| secureboot-db is not updated on ESM releases as doing so
9 would revoke install media keys
10 eslerm| Note that key revocation is required to protect against
11 evil housekeeper attacks (such as BlackLotus)
12Mitigation:
13Bugs:
14Priority: untriaged
15Discovered-by:
16Assigned-to:
17CVSS:
18
19Patches_secureboot-db:
20upstream_secureboot-db: needs-triage
21trusty_secureboot-db: ignored (end of standard support)
22trusty/esm_secureboot-db: ignored (install media keys will never be revoked)
23xenial_secureboot-db: ignored (end of standard support)
24esm-infra/xenial_secureboot-db: ignored (install media keys will never be revoked)
25bionic_secureboot-db: ignored (end of standard support)
26esm-infra/bionic_secureboot-db: needs-triage
27focal_secureboot-db: needs-triage
28jammy_secureboot-db: needs-triage
29kinetic_secureboot-db: needs-triage
30lunar_secureboot-db: needs-triage
31devel_secureboot-db: needs-triage
32
33Patches_shim-signed:
34upstream_shim-signed: needs-triage
35trusty_shim-signed: ignored (end of standard support)
36trusty/esm_shim-signed: ignored (install media keys will never be revoked)
37xenial_shim-signed: ignored (end of standard support)
38esm-infra/xenial_shim-signed: ignored (install media keys will never be revoked)
39bionic_shim-signed: ignored (end of standard support)
40esm-infra/bionic_shim-signed: needs-triage
41focal_shim-signed: needs-triage
42jammy_shim-signed: needs-triage
43lunar_shim-signed: needs-triage
44devel_shim-signed: needs-triage
45
46Patches_shim:
47upstream_shim: needs-triage
48trusty_shim: ignored (end of standard support)
49trusty/esm_shim: ignored (install media keys will never be revoked)
50xenial_shim: ignored (end of standard support)
51esm-infra/xenial_shim: ignored (install media keys will never be revoked)
52bionic_shim: ignored (end of standard support)
53esm-infra/bionic_shim: needs-triage
54focal_shim: needs-triage
55jammy_shim: needs-triage
56lunar_shim: needs-triage
57devel_shim: needs-triage
diff --git a/boilerplates/shim b/boilerplates/shim
0new file mode 12000058new file mode 120000
index 0000000..0eead1e
--- /dev/null
+++ b/boilerplates/shim
@@ -0,0 +1 @@
1secureboot-db
0\ No newline at end of file2\ No newline at end of file
diff --git a/boilerplates/shim-signed b/boilerplates/shim-signed
1new file mode 1200003new file mode 120000
index 0000000..0eead1e
--- /dev/null
+++ b/boilerplates/shim-signed
@@ -0,0 +1 @@
1secureboot-db
0\ No newline at end of file2\ No newline at end of file

Subscribers

People subscribed via source and target branches