This was sent to guix-security a few weeks ago. However, the issues it describes are public, so I'm forwarding it to this mailing list.
The guix-security mailing list is only for reports of secret problems. ----- Original message ----- From: Efraim Flashner <efr...@flashner.co.il> To: guix-secur...@gnu.org Subject: Security issues with grub? Date: Wednesday, March 05, 2025 07:45 Forwarding along an email I received. -- Efraim Flashner <efr...@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted
--- Begin Message ---Hi, I forgot to contact you about security vulnerabilities in GRUB. In a nutshell there is[1]: - Secure boot bypass. Guix is marginally affected. It affects all flavor of secure boot: - 100% encrypted disks + passphrase to access GRUB - any form of gpg based secure boot - UEFI secure boot. While Guix doesn't support UEFI secure boot and (2) Guix probably doesn't support the other flavors of secure boot either through its configuration system, it is still possible to (re-)use Guix to build GRUB images that are involved in secure boot. It however require a custom grub.cfg not provided by Guix. - Arbitrary execution of code may be doable through the filesystem, but it's unclear if a file not owned by root could do that as of few days ago there were no known exploits for these CVEs. - It might also possible to craft JPEG files to gain arbitrary execution of code, but that might need to be included in a GRUB theme somehow by users. It is however really messy to fix as the only way to fix is to use the latest git revision due to the lack of resources of the GRUB maintainers / package[2], and in Guix that means that we need to unbundle gnulib at least. In any case if you are interested, I've started working on it[3] but the patches I came with have several issues: - We can't merge them as-is because building an image stops working. I'm not familiar enough with the non-package code to really understand the issue. - GRUB builds fine on x86_64 computers but not on i686 computers (tested on a core duo), but it builds fine on x86_64 with --system=i686-linux. I'll try to reproduce in a standalone VM somehow as I didn't manage to create a 'build-vm' with a core duo, and I would need to find a way to tell Guix to build the rootfs for i686 anyway. I've already tested this change with grub-coreoot on real hardware though. References: ----------- [1]https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html [2]https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00124.html [3]https://debbugs.gnu.org/cgi/bugreport.cgi?bug=76208 Denis.
pgpjTHt_QWTll.pgp
Description: OpenPGP digital signature
--- End Message ---
signature.asc
Description: PGP signature
