diff -Nru grub2-2.02~beta2/debian/canonical-uefi-ca.crt grub2-2.02~beta2/debian/canonical-uefi-ca.crt --- grub2-2.02~beta2/debian/canonical-uefi-ca.crt 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.02~beta2/debian/canonical-uefi-ca.crt 2019-03-18 16:12:22.000000000 +0000 @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIENDCCAxygAwIBAgIJALlBJKAYLJJnMA0GCSqGSIb3DQEBCwUAMIGEMQswCQYD +VQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xEDAOBgNVBAcMB0RvdWdsYXMx +FzAVBgNVBAoMDkNhbm9uaWNhbCBMdGQuMTQwMgYDVQQDDCtDYW5vbmljYWwgTHRk +LiBNYXN0ZXIgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEyMDQxMjExMTI1MVoX +DTQyMDQxMTExMTI1MVowgYQxCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9m +IE1hbjEQMA4GA1UEBwwHRG91Z2xhczEXMBUGA1UECgwOQ2Fub25pY2FsIEx0ZC4x +NDAyBgNVBAMMK0Nhbm9uaWNhbCBMdGQuIE1hc3RlciBDZXJ0aWZpY2F0ZSBBdXRo +b3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/WzoWdO4hXa5h +7Z1WrL3e3nLz3X4tTGIPrMBtSAgRz42L+2EfJ8wRbtlVPTlU60A7sbvihTR5yvd7 +v7p6yBAtGX2tWc+m1OlOD9quUupMnpDOxpkNTmdleF350dU4Skp6j5OcfxqjhdvO ++ov3wqIhLZtUQTUQVxONbLwpBlBKfuqZqWinO8cHGzKeoBmHDnm7aJktfpNS5fbr +yZv5K+24aEm82ZVQQFvFsnGq61xX3nH5QArdW6wehC1QGlLW4fNrbpBkT1u06yDk +YRDaWvDq5ELXAcT+IR/ZucBUlUKBUnIfSWR6yGwk8QhwC02loDLRoBxXqE3jr6WO +BQU+EEOhAgMBAAGjgaYwgaMwHQYDVR0OBBYEFK2RmQvCKrH1FwSMI7ZlWiaONFpj +MB8GA1UdIwQYMBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA8GA1UdEwEB/wQFMAMB +Af8wCwYDVR0PBAQDAgGGMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly93d3cuY2Fu +b25pY2FsLmNvbS9zZWN1cmUtYm9vdC1tYXN0ZXItY2EuY3JsMA0GCSqGSIb3DQEB +CwUAA4IBAQA/ffZ2pbODtCt60G1SGgODxBKnUJxHkszAlHeC0q5Xs5kE9TI6xlUd +B9sSqVb62NR2IOvkw1Hbmlyckj8Yc9qUaqGZOIykiG3B/Dlx0HR2FgM+ViM11VVH +WxodQcLTEkzc/64KkpxiChcBnHPgXrH9vNa1GRF6fs0+A35m21uoyTlIUf9T4Zwx +U5EbOxB1Axe65oECgJRwTEa3lLA9Fc0fjgLgaAKP+/lHHX2iAcYHUcSazO3dz6Nd +7ZK7vtH95uwfM1FzBL48crB9CPgB/5h9y5zgaTl3JUdxiLGNJ6UuqPc/X4Bplz6p +9JkU284DDgtmxBxtvbgnd8FClL38agq8 +-----END CERTIFICATE----- diff -Nru grub2-2.02~beta2/debian/changelog grub2-2.02~beta2/debian/changelog --- grub2-2.02~beta2/debian/changelog 2019-01-08 17:36:49.000000000 +0000 +++ grub2-2.02~beta2/debian/changelog 2019-03-22 15:36:54.000000000 +0000 @@ -1,3 +1,15 @@ +grub2 (2.02~beta2-9ubuntu1.17) trusty; urgency=medium + + * debian/grub-check-signatures: check kernel signatures against keys known + in firmware, in case a kernel is signed but not using a key that will pass + validation, such as when using kernels coming from a PPA. (LP: #1789918) + * debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned + kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled + and kernel signature verification fails, do not boot the kernel. Patch + from Linn Crosetto. (LP: #1401532) + + -- Mathieu Trudel-Lapierre Fri, 22 Mar 2019 11:36:54 -0400 + grub2 (2.02~beta2-9ubuntu1.16) trusty; urgency=medium [ Ivan Hu ] diff -Nru grub2-2.02~beta2/debian/grub-check-signatures grub2-2.02~beta2/debian/grub-check-signatures --- grub2-2.02~beta2/debian/grub-check-signatures 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.02~beta2/debian/grub-check-signatures 2019-03-18 16:12:22.000000000 +0000 @@ -0,0 +1,129 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +# Check if we are on an EFI system +efivars=/sys/firmware/efi/efivars +secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c +moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 +tmpdir=$(mktemp -d) + +on_secure_boot() { + # Validate any queued actions before we go try to do them. + local moksbstatert=0 + + if ! [ -d $efivars ]; then + return 1 + fi + + if ! [ -f $efivars/$secureboot_var ] \ + || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] + then + return 1 + fi + + if [ -f /proc/sys/kernel/moksbstate_disabled ]; then + moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) + elif [ -f $efivars/$moksbstatert_var ]; then + # MokSBStateRT set to 1 means validation is disabled + moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ + awk '{ print $NF; }') + fi + + if [ $moksbstatert -eq 1 ]; then + return 1 + fi + + return 0 +} + +# Retrieve the keys we do trust from PK, DB, KEK, and MokList. +extract_known_keys() { + # Make the Canonical CA cert available for validation too; in case + # MokListRT is empty due to a bug. + cp /usr/share/grub/canonical-uefi-ca.crt $tmpdir + + # Extract known UEFI certs from firmware variables + ( cd $tmpdir; \ + mokutil --export --db >/dev/null 2>/dev/null; \ + mokutil --export --mok >/dev/null 2>/dev/null; ) + find $tmpdir -name "*.der" -exec openssl x509 -inform der -in {} -outform pem -out {}.crt \; +} + +# Check if a given kernel image is signed +is_signed() { + tmp=$(mktemp) + sbattach --detach $tmp $1 >/dev/null 2>/dev/null # that's ugly... + test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size + result=$? + if [ $result -eq 0 ]; then + sig_subject=$(openssl pkcs7 -inform der -in $tmp -print_certs | openssl x509 -noout -text | grep Subject: ) + fi + rm $tmp + if [ $result -eq 0 ]; then + for crtfile in $tmpdir/*.crt; do + sbverify --cert $crtfile $1 >/dev/null 2>/dev/null + result=$? + if [ $result -eq 0 ]; then + return $result; + fi + done + echo "$1 is signed, but using an unknown key:" >&2 + echo "$sig_subject" >&2 + else + echo "$1 is unsigned." >&2 + fi + return $result +} + +# Check that our current kernel and every newer one is signed +find_unsigned() { + uname_r="$(uname -r)" + for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do + # no kernels :( + if [ "$kernel" = "/boot/vmlinuz-*" ]; then + break + fi + this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')" + if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then + continue + fi + if [ -e "$kernel.efi.signed" ]; then + continue + fi + if ! is_signed $kernel; then + echo "$this_uname_r" + fi + done +} + +# Only reached from show_warning +error() { + echo "E: Your kernels are not signed with a key known to your firmware. This system will fail to boot in a Secure Boot environment." >&2 + exit 1 +} + +# Either shows a debconf note or prints an error with error() above if +# that fails +show_warning() { + # kernels should be an indented list of one version per line + escaped="$(printf "%s" "$unsigned" | sed "s#^# #" | debconf-escape -e )" + db_capb escape + db_settitle grub2/unsigned_kernels_title || error + db_fset grub2/unsigned_kernels seen 0 || error + db_subst grub2/unsigned_kernels unsigned_versions "$escaped" || error + db_input critical grub2/unsigned_kernels || error + db_go || error + error +} + +if on_secure_boot; then + extract_known_keys + unsigned="$(find_unsigned)" + if [ -n "$unsigned" ]; then + show_warning "$unsigned" + fi + rm -rf "$tmpdir" +fi diff -Nru grub2-2.02~beta2/debian/grub-common.install.in grub2-2.02~beta2/debian/grub-common.install.in --- grub2-2.02~beta2/debian/grub-common.install.in 2015-05-13 14:51:57.000000000 +0000 +++ grub2-2.02~beta2/debian/grub-common.install.in 2019-03-22 14:41:11.000000000 +0000 @@ -1,5 +1,7 @@ ../../debian/apport/source_grub2.py usr/share/apport/package-hooks/ ../../debian/grub.d etc +../../debian/grub-check-signatures usr/share/grub/ +../../debian/canonical-uefi-ca.crt usr/share/grub/ etc/bash_completion.d etc/grub.d diff -Nru grub2-2.02~beta2/debian/patches/linuxefi_disable_sb_fallback.patch grub2-2.02~beta2/debian/patches/linuxefi_disable_sb_fallback.patch --- grub2-2.02~beta2/debian/patches/linuxefi_disable_sb_fallback.patch 1970-01-01 00:00:00.000000000 +0000 +++ grub2-2.02~beta2/debian/patches/linuxefi_disable_sb_fallback.patch 2019-03-22 14:47:14.000000000 +0000 @@ -0,0 +1,43 @@ +From 10a7a5a6402467899a4b733d948eb94b643a5e4e Mon Sep 17 00:00:00 2001 +From: Linn Crosetto +Date: Tue, 5 Apr 2016 11:49:05 -0600 +Subject: Disallow unsigned kernels if UEFI Secure Boot is enabled + +If UEFI Secure Boot is enabled and kernel signature verification fails, do not +boot the kernel. Before this change, if kernel signature verification failed +then GRUB would fall back to calling ExitBootServices() and continuing the +boot. + +Patch-Name: linuxefi_disable_sb_fallback.patch + +Signed-off-by: Linn Crosetto +--- + grub-core/loader/i386/linux.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +Index: grub2-2.02~beta2/grub-core/loader/i386/linux.c +=================================================================== +--- grub2-2.02~beta2.orig/grub-core/loader/i386/linux.c ++++ grub2-2.02~beta2/grub-core/loader/i386/linux.c +@@ -703,10 +703,8 @@ grub_cmd_linux (grub_command_t cmd __att + using_linuxefi = 0; + if (grub_efi_secure_boot ()) + { +- /* Try linuxefi first, which will require a successful signature check +- and then hand over to the kernel without calling ExitBootServices. +- If that fails, however, fall back to calling ExitBootServices +- ourselves and then booting an unsigned kernel. */ ++ /* linuxefi requires a successful signature check and then hand over ++ to the kernel without calling ExitBootServices. */ + grub_dl_t mod; + grub_command_t linuxefi_cmd; + +@@ -728,7 +726,7 @@ grub_cmd_linux (grub_command_t cmd __att + return GRUB_ERR_NONE; + } + grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno); +- grub_errno = GRUB_ERR_NONE; ++ goto fail; + } + } + } diff -Nru grub2-2.02~beta2/debian/patches/series grub2-2.02~beta2/debian/patches/series --- grub2-2.02~beta2/debian/patches/series 2019-01-08 17:36:49.000000000 +0000 +++ grub2-2.02~beta2/debian/patches/series 2019-03-22 14:47:05.000000000 +0000 @@ -74,3 +74,4 @@ efinet-enable-hardware-filters-on-interface.patch mixed_size_efi.patch 0001-i386-linux-Add-support-for-ext_lfb_base.patch +linuxefi_disable_sb_fallback.patch diff -Nru grub2-2.02~beta2/debian/postinst.in grub2-2.02~beta2/debian/postinst.in --- grub2-2.02~beta2/debian/postinst.in 2018-09-05 19:46:36.000000000 +0000 +++ grub2-2.02~beta2/debian/postinst.in 2019-03-22 14:51:23.000000000 +0000 @@ -321,6 +321,10 @@ devicemap_regenerated= + if [ @PACKAGE@ = "grub-efi-amd64" ] && dpkg --compare-versions "$2" lt-nl 2.02~beta2-9ubuntu1.17; then + /usr/share/grub/grub-check-signatures + fi + if egrep -q '^[[:space:]]*post(inst|rm)_hook[[:space:]]*=[[:space:]]*(/sbin/|/usr/sbin/)?update-grub' /etc/kernel-img.conf 2>/dev/null; then echo 'Removing update-grub hooks from /etc/kernel-img.conf in favour of' >&2 echo '/etc/kernel/ hooks.' >&2