On Thu, Aug 03, 2017 at 10:21:43AM -0600, Chris Murphy wrote: > security@ and security-team@ have no meaningful activity in at least > the last 6 months so I'm posting this here. > > grub2 incorrectly initialises the boot_params from the kernel image > https://bugzilla.redhat.com/show_bug.cgi?id=1418360 > > The gist is that the bug means the kernel can't determine UEFI secure > boot state, considers it not enabled, resulting in the kernel not > enabling certain checks it otherwise does when it knows secure boot is > enabled. Ergo, users who have secure boot enabled are not getting the > full benefit of secure boot, and this fallback is pretty much silent > (you'd have to be looking at kernel messages to know you're not > protected). > > Fedora 26 has grub2-2.02-0.40.fc26.x86_64 which contains the fix. It > was proposed as a blocker bug, bug was rejected because it doesn't > have a formal security evaluation. > > However, Fedora 24 didn't get the fix before going EOL. And Fedora 25 > and Rawhide both still have this problem. And I think it needs > attention. My understanding is that dhowells was going to revert part of the kernel change that led to this in F25. I didn't realize we'd pushed the problem back to F24 as well, so I guess we ought to solve it there before it's too late. For rawhide I've built the fixed grub2 package. I guess I can build one for F24 and F25 as well, though I was hoping this would be solved by the kernel not breaking our expectations. -- Peter _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
