security@ and security-team@ have no meaningful activity in at least the last 6 months so I'm posting this here. grub2 incorrectly initialises the boot_params from the kernel image https://bugzilla.redhat.com/show_bug.cgi?id=1418360 The gist is that the bug means the kernel can't determine UEFI secure boot state, considers it not enabled, resulting in the kernel not enabling certain checks it otherwise does when it knows secure boot is enabled. Ergo, users who have secure boot enabled are not getting the full benefit of secure boot, and this fallback is pretty much silent (you'd have to be looking at kernel messages to know you're not protected). Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It was proposed as a blocker bug, bug was rejected because it doesn't have a formal security evaluation. However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 and Rawhide both still have this problem. And I think it needs attention. Thanks, -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
