Grub2 | Secure Boot Bypass and other issues - Update highly recommended

Here is the reason for updating GRUB.

See here for original article in German: Grub 2: Acht neue Schwachstellen im Bootloader | heise online

Grub 2: Eight new vulnerabilities in the bootloader

The developers of Grub 2 have reported several vulnerabilities. Some of them can bypass Secure Boot again, which significantly complicates the update process.

A whole bunch of security patches is pending for the bootloader GNU Grub 2. While some of these are delivered via package updates in Linux distributions, the complete elimination of all eight reported gaps requires that signatures be revoked again in UEFI Secure Boot.

This approach sounds familiar, after all, this was necessary in the middle of last year to the error “Boothole” in GNU Grub 2. But an updated revocation list of the vulnerable shims for the key database (DBX) is problematic, as the maintainer Daniel Kiper emphasizes in his message on the mailing list. In some cases, a fix for all gaps found is therefore currently not feasible on some systems, because then Secure Boot would no longer work at all, says Kiper.

A lengthy undertaking

The current update is intended to fix eight vulnerabilities. These were discovered in the course of a cleanup after “Boothole” in a major effort by three dozen external developers and the maintainers of the bootloader. At least some of the loopholes can be exploited to reload kernel modules without a valid signature despite an active Secure Boot. A detailed description of the individual gaps is provided by the announcement by Kiper.

If you want to fix this correctly, updating the faulty code is not enough. In addition, the signatures of the vulnerable versions must be at least partially blocked. However, this can mean that some systems can no longer start with Secure Boot.

There are already specific advisories from Debian, from Canonical to Ubuntu, by Red Hat and by Suse, which provide more specific information about the update process. All advisories emphasize that the thorough elimination of all gaps will be a lengthy undertaking in several steps and may also require rework by the administrators of the affected systems.

Therefore we recommend to reinstall grub on your systems, to apply all those fixes.

For users with dual-boot to Windows, you may want to restore the old behavior for enabling os-prober detecting your other OSs beside Manjaro. For that simply open a terminal and issue

echo GRUB_DISABLE_OS_PROBER=false|sudo tee -a /etc/default/grub && sudo update-grub

22 Likes

Question:
is it safe to use /etc/grub.d/40_custom for Windoofs
and let GRUB_DISABLE_OS_PROBER=true

How do these vulnerabilities affect Manjaro users? We have to disable “secure boot” in order to boot into Manjaro, so a vulnerability to bypass “secure boot” is pointless.

They don’t. There’s no need to use such special tools when one deals with a vulnerable-by-design (in this specific aspect, of course) distro. Like everything except Fedora, (open)SUSE, Ubuntu, Debian, RHEL. I don’t remember what else has SB support OOB.

Exactly. However, it is possible to setup Secure Boot after installing Manjaro. In such case a user of Grub should definitely update it.

4 Likes

That needs to be:

echo GRUB_DISABLE_OS_PROBER=false|sudo tee -a /etc/default/grub && sudo update-grub
7 Likes

Disabling the os prober by default may be a huge inconvenience for many, especially “normie” users who don’t visit forums or read announcements. It may scare away many new users, too. I think it would be great to include some explicit option to enable/disable the os prober in new installations and the Manjaro settings.

4 Likes

Um, I’m just thinking out loud here, the situation we’re in now isn’t as serious as the “boot hole” debacle last year where, in order to have a properly-updated system, a full re-installation of grub was required per a manual chrooting experience on a live session was required, correct? A simple grub update per terminal or pamac is sufficient (even on luks partitions) is sufficient (so far) – right?

:neutral_face:

FWIW: A grub reinstallation did not and does not need live sessions and/or chrooting - just a running Manjaro with up-to-date grub package.

Yes, 100% agree! I think Manjaro is great partly because it is very easy to use and there’s not a lot you can do wrong. We can’t expect every single user to read the update announcements before updating, especially because updates are mandatory when installing a new package anyway.

We already saw that a lot of people fell into this trap with this update, see Exhibit A, B, C, and a lot more.

I would also say that it’s expected that a linux distro will detect and and offer to boot into all other Operating Systems, installed on the PC, that’s just a given by now. And not giving people this default will likely lead to a lot of “Manjaro removed my Windows” kind of support posts, which is just inconvenient for everyone involved.

Having an option during installation to detect other OSes and add them to Grub that is enabled by default may be a decent fix.

3 Likes

to be fully secure you should completely reinstall grub.

Hmmmmmnmmmmmmmmm, considering the number of CVEs here and > 100 patches already…I honestly think the process of “reinstalling grub” deserves a separate announcement thread of its own. I see that @schinfo just modified the first post to link that wiki article. My neutral-face emoji is becoming even more neutral here. :neutral_face:

I would suggest (for those of you keen of modifying wikis) that wiki page also include instructions for cryptsetup for those of us on luks. My link is based off @eugen-b’s very old guide that’s since been partially-nuked on the read-only forum. I’ve found it’s a very much trial-and-error process so I would also preface the discussion with caution advised. :warning:

Thank you so much for this announcement to keep our computers safe.

Reinstalling grub was so easy for my EFI System:

Open a terminal window and type or paste the following commands:

sudo su
grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=manjaro --recheck
grub-mkconfig -o /boot/grub/grub.cfg
exit

I don’t dual boot on this computer, but if I did, it’s a snap to use Kate (or your text editor of choice) to edit /etc/default/grub and remove the # in front of #GRUB_DISABLE_OS_PROBER=false and then type sudo update-grub into a terminal window. All fixed!

You need to be chrooted to properly install grub on efi installs, even if you don’t use luks. After the process is complete, reboot and load the grub menu to verify the version number.

can i use kde minimal in order to chroot/update grub in my full kde install?

now that a reinstall is recommended - does that include people not using secure boot (or multi boot for that matter), too?

And i don’t really get why chroot should be necessary if the system still boots? Maybe someone can enlighten me? ^^

2 Likes

i did reinstall bootloader (manjaro GRUB) last year and NO chroot is not necessary, though it was recommended as a fool-proof way AFAIK

Did I understand right, this only applies to devices with UEFI? So I don’t have to bother and can go on without reinstalling grub? I don’t dualboot and none of my devices has EFI/UEFI.

These vulnerabilities are meant to circumvent Secure Boot enabled systems. If you’re not using it, your system is vulnerable by default and no update will save you from such attacks.
Installing these grub updates on default Manjaro is pointless unless you have SB with your own keys right now. This entire discussion is hilarious because Manjaro doesn’t support SB out of the box. You can’t mitigate a breach when your door is wide open.

12 Likes

Do we have to reinstall grub now or wait for those security patches to be included within grub ?

In addition : some people are saying here we have to chroot to reinstall grub, some are saying we do not have to…
This is confusing to me, as well as reinstalling grub : maybe i am stupid too, but as those security patches are not yet included within grub (i am referring to the beginning of @schinfo saying there are still pending…). Why do we have to reinstall grub now ?

You’re right - thanks for the hint.
I’ve changed it in my post.