dryarzeg3d ago

Ubuntu wants to strip some of GRUB features in 26.10 for security purposes

https://discourse.ubuntu.com/t/streamlining-secure-boot-for-26-10/79069

Streamlining secure boot for 26.10

Ubuntu systems support secure boot using grub. grub contains a lot of parsers for file systems and other things which are a constant source of security issues. In 26.10, we’d like to propose removing the following features from signed GRUB builds: Filesystems Remove btrfs, hfsplus, xfs, zfs Retain ext4, fat, iso9660 (and squashfs for snaps) Image formats: Remove jpeg, png Retain none We do not use images, but using that in your grub.cfg locally is a massive security risk (if even still al...

Ubuntu Community Hub
Show threadhedora

This comment is particularly concerning (as is the functionality regression implied by this new "more secure" approach):

> This means for example, that an encrypted system must use an ext4 /boot partition; it is no longer possible to encrypt the /boot partition.

So, they want to let attackers modify /boot, including grub.conf and the kernel command line? This is better? Look at all these fun knobs attackers will be able to turn!

https://www.kernel.org/doc/Documentation/x86/x86_64/boot-opt...

This lets you disable machine check exceptions + the iommu. That means it'll force people to use a configuration that lets attackers stick a memory probe hardware device into the system + bypass a bunch of hardware security checks. Nice!

I also found module.sig_enforce which lets the attacker disable kernel module signature verification. Sadly, I couldn't find anything that lets you directly load a kernel module from /boot.

However, init.rd lives in /boot. I wonder if its signature is verified or not. At the very least, this approach implies that attackers can piecemeal downgrade stuff early in the boot process.

Mar 25 at 4:16pmWeb