UEFI Secure Boot Updates

Summary

With UCS 4.4-9 the following three components involved with UEFI Secure Boot have been updated and must be updated together — otherwise booting may fail:

  1. SHIM
  2. GRUB2
  3. Linux Kernel

Background

Secure Boot builds a chain of trust from the UEFI firmware to the Linux kernel. Any modification before the Linux kernel gets started is detected and aborts the boot process. This technique can be used to prevent boot viruses from infecting the system.

Around July 2020 a major defect was detected in GRUB and the Linux kernel: Attackers can modify the environment before the Linux kernel is fully loaded and can disable secure boot. This triggered an investigation of all components involved with Secure Boot, where other defects were found and fixed. This affected nearly all Linux distributions including Univention Corporate Server. Microsoft thus revoked nearly all previously signed versions of SHIM, which breaks the secure boot chain at its earliest stage.
This list of revoked binaries (dbx) is published since April 2021 and gets rolled out since then: As soon as the UEFI firmware is updated or Microsoft Windows runs on the same hardware and updates the list of revoked binaries, UCS before 4.4-9 can no longer be booted.

UCS 4.4-9 contains new versions of shim, grub2 and linux-kernel They use a new certificate for signing. Therefore all three components must be updated at the same time as a old component will not be able to load a new component and vice versa.

In case the update fails, make sure to have a working boot medium available or temporarily disable Secure Boot in the firmware as a last resort.

UCS specifics

Support for Secure Boot was first shipped with UCS 4.0 in 2014, which was based von Debian 7 Wheezy. Back than Debian did not support Secure Boot and support was developed by Univention. Even later on with Debian 8 Jessie for UCS 4.2 and Debian 9 Stretch for UCS 4.3 the custom implementation was kept.
In 2018 Univention sponsored the integration of Secure Boot into Debian 10 Buster, which is the basis for UCS 5.0 released in 2021. Since then UCS is using SHIM, GRUB2 and the Linux kernel as signed by Debian.
UCS 4.4 still uses our custom implementation. It was based on shim 0.7 and grub2 2.02~beta3, which would need heavy patching to fix the security problems. This is very error prone and easily leads to not fixing all problems or even introducing new bugs. Therefore we decided to upgrade to shim 15.4 and grub 2.02, which are the same versions as in UCS 5.0. The only difference is that shim includes our public key instead of Debian’s and grub2 and linux-image are signed with that one as well.

Related Links