J. Michael, Principal Researcher, Eclypsium; D. Kiper, Software Eng., Oracle; C. Coulson, Sr Software Eng., Canonical
In modern PC-based platforms, UEFI Secure Boot is used to protect the integrity of the boot process by ensuring that only authorized code is allowed to run during this critical time. If unauthorized code can run during the boot process, the operating system itself and the security guarantees it tries to provide can no longer be trusted. In April 2020, a security vulnerability in the GRUB2 bootloader allowing arbitrary code execution was disclosed to the GRUB2 maintainers and a number of other affected parties. Although the fix to the code itself was simple, only one line, complications with both the UEFI Secure Boot implementation and ecosystem necessitated a complex, industry-wide mitigation effort. Revocation, new shim review process, additional vulnerabilities found and fixed, and more. We'll discuss the problems we encountered and overcame as well as areas for future improvement from the perspective of the security researchers, the GRUB upstream maintainers, and the Linux distributions.
Join the Ubuntu Masters telegram channel to connect with Ubuntu product managers, engineers and other attendees! https://t.me/joinchat/JOsc1hzTAhbAfjBX1fsqLA