GRUB2 SecureBoot Bypass 2021 and One Grub

There is a new set of Grub2 vulnerabilities that are going public today. The wiki page above explains them in detail.

These updates will be released for the SecureBoot platforms that are signed by Canonical only. Which today are X64 and AA64 in UEFI terms (aka amd64/x86_64, and arm64/AAarch64).

As part of these updates, because they are that large, we have split Grub2 packaging to allow us shipping identical signed bootloader artefacts across all releases. This means that on UEFI amd64 & arm64 platforms the following releases are upgrading to 2.04 grub2 Trusty ESM, Xenial, Bionic, Focal, Groovy and Hirsute.

These updates will land in -proposed pockets soon, and will be extensively validated before eventually getting phased in -updates and -security pockets.

There is no immediate threat or urgency to apply these updates, because we still do not have new shims & dbxupdate from as those got delayed. Meaning at this time, even with these updates downgrade attacks are possible. Thus if you have TPM you should rely on TPM measurements to monitor your estate if you cannot control physical access to the machines.

In addition to grub fixes, shim has been upgraded with support for SBAT. It means that in Hirsute shim, grub, fwupd are required to have sbat sections, and have ability for targeted revocation of particular binaries.

If you have any questions please post them here, and I will try to answer them all!


grub2 is now published in hirsute & groovy-updates.

In all other stable series it is still in -proposed.

1 Like