On Wed, Apr 24, 2019 at 05:26:00PM +0100, Steve McIntyre wrote: >Source: grub2 >Version: 2.02+dfsg1-16 >Severity: serious >Tags: security > >In discussion with upstream EFI and arm64 folks, it's become clear >that in SB mode we should also be disabling the devicetree command in >Secure Boot mode. I'm testing a patch right now, coming shortly.
We should also blacklist any of our old grub-efi-arm64-signed binaries signed with our production key - this is a real hole that can totally undermine SB. I'll work out how to do that for the next shim upload, due in the next couple of days. -- Steve McIntyre, Cambridge, UK. [email protected] < sladen> I actually stayed in a hotel and arrived to find a post-it note stuck to the mini-bar saying "Paul: This fridge and fittings are the correct way around and do not need altering"

