Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machines upgraded from old FCOS releases use bootloaders denylisted in newer UEFI dbx #1452

Closed
dustymabe opened this issue Mar 31, 2023 · 3 comments
Closed

Machines upgraded from old FCOS releases use bootloaders denylisted in newer UEFI dbx #1452

dustymabe opened this issue Mar 31, 2023 · 3 comments
Labels
needs/investigation

Comments

@dustymabe
Copy link
Member

dustymabe commented Mar 31, 2023
edited by bgilbert
Loading

I ran into this when testing the new extended upgrade testing scaffolding:

Trying to start old < F34 systems with secure boot enabled using current coreos-assembler yields a non-booting system:

BdsDxe: failed to load Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x2,0x0): Access Denied
BdsDxe: No bootable option or device was found.                                          
BdsDxe: Press any key to enter the Boot Manager Menu.

In this specific case this log came from trying to boot fedora-coreos-33.20201116.2.0-qemu.x86_64.qcow2

This is almost certainly because newer OVMF includes an updated dbx.

Documenting this here so we can point to it in the future.
@dustymabe dustymabe changed the title latest qemu can't boot <= F34 FCOS qcow images with secure boot latest qemu/cosa can't boot <= F34 FCOS qcow images with secure boot Mar 31, 2023
@bgilbert bgilbert changed the title latest qemu/cosa can't boot <= F34 FCOS qcow images with secure boot Machines upgraded from old FCOS releases use bootloaders denylisted in newer UEFI dbx Apr 5, 2023
@bgilbert bgilbert added the meeting topics for meetings label Apr 5, 2023
@bgilbert
Copy link
Contributor

bgilbert commented Apr 5, 2023

At present we're automatically updating neither shim/GRUB nor the dbx denylist. That has some consequences:

  1. Old installs will continue to work on old hardware as long as dbx isn't manually updated. We do ship fwupd and dbxtool (the dbx updater used by fwupd) and a user could invoke fwupdmgr update without updating their bootloader first. If fwupd allows this, it'll brick the bootloader. fwupd has code to refuse the update if the ESP has EFI binaries with old signatures, but we don't know how fwupd responds to FCOS's ESP quirks.
    • Investigate: in a FCOS VM with old UEFI firmware, upgraded from a very old FCOS release, and with an old bootloader, does fwupdmgr update correctly refuse to update dbx? What about on a system installed with boot_device.mirror?
  2. Old install images will not boot in Secure Boot mode on UEFI firmware with newer dbx. Those images aren't supported anyway, so this seems fine.
  3. By not automatically updating dbx, we're leaving older installs vulnerable to Secure Boot bypass via exploitation of a compromised bootloader (either the one we shipped, or a different one listed in newer dbx).
    • Investigate: in a FCOS VM with old UEFI firmware, upgraded from a very old FCOS release, and with a bootloader updated via bootupd, does fwupdmgr update correctly update dbx? What about on a system installed with boot_device.mirror?
    • Decide: how do we want to handle this? Pursue automatic bootloader + dbx updates? Document using fwupd to manually update dbx? We generally design FCOS not to require manual steps to maintain best-practice security.

dustymabe added a commit to dustymabe/fedora-coreos-pipeline that referenced this issue Apr 5, 2023
@dustymabe
jobs/kola-upgrade: add more conditions for secureboot
dd972bc 
Apparently there are some version of `next` that are affected by
coreos/fedora-coreos-tracker#1452 so let's
account for that.
@dustymabe dustymabe mentioned this issue Apr 5, 2023
Merged
dustymabe added a commit to dustymabe/fedora-coreos-pipeline that referenced this issue Apr 5, 2023
@dustymabe
jobs/kola-upgrade: add more conditions for secureboot
4342a31 
Apparently there are some F34 versions of `next` that are affected by
coreos/fedora-coreos-tracker#1452 so let's
account for that.
jlebon pushed a commit to coreos/fedora-coreos-pipeline that referenced this issue Apr 6, 2023
@dustymabe @jlebon
jobs/kola-upgrade: add more conditions for secureboot
0645dd9 
Apparently there are some F34 versions of `next` that are affected by
coreos/fedora-coreos-tracker#1452 so let's
account for that.
@dustymabe
Copy link
Member Author

We discussed this in the community meeting this week.

13:34:55   dustymabe | #agreed We've identified that we'd ultimately like to regularly
                     | update both the bootloader and dbx. For now there are some
                     | preliminary investigations that we can do to determine the scope
                     | and challenges related to the dbx updates and there are bootloader
                     | update safety features we'd like to investigate and implement in
                     | bootupd.

We agreed to open up new issues to track the feature requests:

  • regular bootloader updates
  • regular dbx updates

@dustymabe dustymabe removed the meeting topics for meetings label Apr 7, 2023
@jlebon jlebon mentioned this issue Apr 14, 2023
Open
@dustymabe dustymabe mentioned this issue Apr 19, 2023
Open
@dustymabe
Copy link
Member Author

New issues were opened:

I'm going to close this issue out because there is nothing for us to do for it outside of the two issues linked above.

@dustymabe dustymabe mentioned this issue Jun 9, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs/investigation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bgilbert @dustymabe