Security Vulnerability: grub2 UEFI secure boot bypass issues
This document (000019892) is provided subject to the disclaimer at the end of this document.
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 11
A total number of 7 issues have been identified to impact secure boot integrity and have received CVEs:
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2020-14372, CVE-2021-20225, CVE-2021-20233
All users of SUSE Linux Enterprise Server 11-SP4, 12 and 15 are affected.
The attack could allow running root-malware to become persistent over booting, e.g. becoming boot-malware, regardless of the operating system.
SUSE and other ecosystem vendors are also required to keep the integrity of the UEFI secure boot chain. This in turn means that loading of older affected grub2 versions needs to be suppressed.
The UEFI secure boot chain will be updated in 2 stages:
SUSE released updates for the "shim" loader that will include an exclusion for all previously released secure boot binaries, by adding our previous signing key to the exclusion list (vendor dbx). As this requires SUSE first rebuilding and releasing all secure boot related packages with our new signing key, this will only happen some weeks after the grub2 releases. Microsoft publishes a global revocation list that excludes all older "shim" versions from SUSE and other vendors from the UEFI secure boot chain.
This exclusion list is published on https://uefi.org and should only be applied to real systems in some months, by either BIOS vendors, Microsoft Windows Update, or manual DBX installation.
Administrators need to make sure that all BootHole related online updates have been installed before applying these DBX lists via updates.
BACKGROUND:The SUSE UEFI Secure Boot Chain and actions taken:
SUSE UEFI CA keyThe existing SUSE UEFI CA key will stay as-is. This key is embedded in existing and new shim loaders and continues to be the SUSE root of secure boot trust.
This key is signed by the SUSE UEFI CA key. As SUSE has previously released various grub2 updates signed by the SUSE UEFI signing key, SUSE will introduce a new SUSE signing key, and block the old signing key via the new shim.
SUSE UEFI signing key
shimThe "shim" loader is a small bootloader for UEFI based x86_64 machines. It is signed by the Microsoft UEFI CA, which is embedded in all UEFI BIOSes. The shim contains the SUSE UEFI CA key which is the base of the SUSE UEFI secure boot trust chain.
SUSE updated the shim to block binaries signed by the up to now used SUSE UEFI signing key.
Microsoft will publish a UEFI DBX revocation database to revoke older versions of shims to remove ability of loading older grub2 versions. This DBX update will be put on the uefi.org website, but not yet deployed via Windows Update or via BIOS vendor updates.
grub2Called by "shim", grub2 presents the boot menu and options on what to boot, then loads either the Linux Kernel or the XEN hypervisor. SUSE released updated grub2 packages, with security fixes and signed by our new UEFI signing key.
Linux kernel, Xen hypervisor, fwupd, s390-tools, kmp and other secure boot related packagesAs other packages that are are in the UEFI secure boot chain will be released, these will be signed by the new UEFI signing key.
Important note :Due to the scale of the vulnerability spanning a wide range of components, extreme care must be taken by SUSE and other vendors to fix this issue properly.
This issue will require different stages and multiple rounds of solutions to test and confirm each solution to completely fix the problem. As a general rule, each update of each stage requires extreme care be taken because of the serious risk of bricking customer computers, should something go wrong at any of those stages...
SUSE CVE page links:
2020 Boothole TID: https://www.suse.com/support/kb/doc/?id=000019673
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019892
- Creation Date: 02-Mar-2021
- Modified Date:02-Mar-2021
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com