Security Vulnerability: "Boothole" grub2 UEFI secure boot lockdown bypass
This document (000019673) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
Situation
Further research identified more grub2 security issues that needed to be addressed similarly,
tracked by CVE-2020-14308, CVE-2020-14309, CVE-2020-14310 , CVE-2020-14311 & CVE-2020-15706 .
The attack could allow running root-malware to become persistent over booting, e.g. becoming boot-malware, regardless of the operating system.
Resolution
SUSE and other ecosystem vendors are also required to keep the integrity of the UEFI secure boot chain.
This in turn means that loading of older affected grub2 versions should be suppressed.
The UEFI secure boot chain will be updated in 2 stages :
- SUSE released updates for the "shim" loader that will include an exclusion for all previously released secure boot binaries, by adding our previous signing key to the exclusion list (vendor dbx)..
- Microsoft publishes a global revocation list that excludes all older "shim" versions from SUSE and other vendors from the UEFI secure boot chain.
Administrators need to make sure that all BootHole related online updates have been installed before applying these DBX lists via updates.
The SUSE UEFI Secure Boot Chain and actions taken:
- SUSE UEFI CA key
- SUSE UEFI signing key
As SUSE has previously released various grub2 updates signed by the SUSE UEFI signing key, SUSE will introduce a new SUSE signing key, and block the old signing key via the new shim.
- shim
It is signed by the Microsoft UEFI CA, which is embedded in all UEFI BIOSes.
The shim contains the SUSE UEFI CA key which is the base of the SUSE UEFI secure boot trust chain.
SUSE updated the shim to block binaries signed by the up to now used SUSE UEFI signing key.
Microsoft will publish a UEFI DBX revocation database to revoke older versions of shims to remove ability of loading older grub2 versions.
This DBX update will be put on the uefi.org website, but not yet deployed via Windows Update or via BIOS vendor updates.
- grub2
SUSE released updated grub2 packages, with security fixes and signed by our new UEFI signing key.
- Linux kernel
These are tracked in different CVE's : by CVE-2019-20908 and CVE-2020-15780 .
These 'lockdown' bypass security bugs affected SUSE Linux Enterprise 12 SP4 and newer versions only.
SUSE has released updated kernels, with above fixed and signed by our new UEFI signing key.
- xen, kmp and other secure boot related packages
Cause
Status
Additional Information
Also older DVD / ISO media provided by SUSE will no longer boot in UEFI secure boot scenarios after the UEFI DBX revocation list is applied to the machine.
SUSE provides respin media containing the newly signed shim and other packages, available via download.suse.com.
If you encounter problems, there is also the option to Disable Secure Boot temporarily via the system BIOS, install the updates, and the re-enable Secure Boot.
References :
SUSE Blog : https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/
Security reseachers : https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/
Important note :
Due to the the scale of the vulnerability spanning a wide range of components, extreme care must be taken by SUSE and other vendors to fix this issue properly.
This issue will require different stages and multiple rounds of solutions to test and confirm each solution to completely fix the problem. As a general rule, each update of each stage requires extreme care be taken because of the serious risk of bricking customer computers, should something go wrong at any of those stages...
Update September 15, 2020 :
As another milestone in resolving this issue for our customers, today SUSE has released the new shims required to fix the problem. The tool required to apply these shim's has not yet been released.
Along with the documentation on how to apply these shim's, SUSE will release this tool at a later stage.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019673
- Creation Date: 27-Jul-2020
- Modified Date:04-Jan-2021
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com