Re: [security-announce] Upcoming update for shim requires confirmation on reboot

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

gregfreemyer
On Fri, Jan 16, 2015 at 8:53 AM, Johannes Segitz <[hidden email]> wrote:

> Hello,
>
> we will release a security update for shim next week that fixes three
> security issues, tracked in bnc#889332:
> - OOB read access when parsing DHCPv6 packets (remote DoS) (CVE-2014-3675).
> - Heap overflow when parsing IPv6 addresses provided by tftp:// DHCPv6 boot
>   option (RCE) (CVE-2014-3676).
> - Memory corruption when processing user provided MOK lists (CVE-2014-3677).
>
> Because of those issues we update shim to version 0.7.318.81ee561d. This
> version includes a patch that requires the user to confirm a dialog once
> on the first boot after the update is installed. You will need to be able
> to confirm this dialog, which appears before the bootloader, or your system
> will not boot. This only affects users that are still on openSUSE 13.1 and
> use a secure boot setup. You can check with 'bootctl' if you're using a
> secure boot configuration if you're not sure.
>
> Best regards,
> Johannes Segitz

Johannes,

That's a big deal.  Can you explain how to use bootctl for those of us
that aren't familiar with it.?

I have a VM in the cloud running 13.1.  No idea if it is a secure
config.  Using bootctl I get:
=================
 # bootctl
System:
   Machine ID: 66246c6e9ad17aa97b5daf4551c883a1
      Boot ID: cb221a9b79094721ac8158f0c4ebf14a


No suitable data is provided by the boot manager. See:
  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
for details.
==================

# bootctl status
System:
   Machine ID: 66246c6e9ad17aa97b5daf4551c883a1
      Boot ID: cb221a9b79094721ac8158f0c4ebf14a


No suitable data is provided by the boot manager. See:
  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
for details.
==================

FYI: My cloud provider does provide a VNC interface that give me
access to the console during the grub boot phase, but it something I
only see if I intentionally fire it up.  I only do that once a year or
so, thus I will need to pay very close attention to this security
update.  I assume there are lots of users like me.

Greg
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

Malcolm
On Fri 16 Jan 2015 10:02:08 AM CST, Greg Freemyer wrote:

>On Fri, Jan 16, 2015 at 8:53 AM, Johannes Segitz <[hidden email]>
>wrote:
>> Hello,
>>
>> we will release a security update for shim next week that fixes three
>> security issues, tracked in bnc#889332:
>> - OOB read access when parsing DHCPv6 packets (remote DoS)
>> (CVE-2014-3675).
>> - Heap overflow when parsing IPv6 addresses provided by tftp://
>> DHCPv6 boot option (RCE) (CVE-2014-3676).
>> - Memory corruption when processing user provided MOK lists
>> (CVE-2014-3677).
>>
>> Because of those issues we update shim to version 0.7.318.81ee561d.
>> This version includes a patch that requires the user to confirm a
>> dialog once on the first boot after the update is installed. You
>> will need to be able to confirm this dialog, which appears before
>> the bootloader, or your system will not boot. This only affects
>> users that are still on openSUSE 13.1 and use a secure boot setup.
>> You can check with 'bootctl' if you're using a secure boot
>> configuration if you're not sure.
>>
>> Best regards,
>> Johannes Segitz
>
>Johannes,
>
>That's a big deal.  Can you explain how to use bootctl for those of us
>that aren't familiar with it.?
>
>I have a VM in the cloud running 13.1.  No idea if it is a secure
>config.  Using bootctl I get:
>=================
> # bootctl
>System:
>   Machine ID: 66246c6e9ad17aa97b5daf4551c883a1
>      Boot ID: cb221a9b79094721ac8158f0c4ebf14a
>
>
>No suitable data is provided by the boot manager. See:
>  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
>  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
>for details.
>==================
>
># bootctl status
>System:
>   Machine ID: 66246c6e9ad17aa97b5daf4551c883a1
>      Boot ID: cb221a9b79094721ac8158f0c4ebf14a
>
>
>No suitable data is provided by the boot manager. See:
>  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
>  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
>for details.
>==================
>
>FYI: My cloud provider does provide a VNC interface that give me
>access to the console during the grub boot phase, but it something I
>only see if I intentionally fire it up.  I only do that once a year or
>so, thus I will need to pay very close attention to this security
>update.  I assume there are lots of users like me.
>
>Greg
Hi
I see;

SLED 12:
# bootctl
System:
   Machine ID: xx442edbefa04xxxa9c5ee5xxxd642f0
      Boot ID: 64460df5579xxx8681357b88efxxx7d6
  Secure Boot: enabled
   Setup Mode: user

Selected Firmware Entry:
        Title: sled12-secureboot
    Partition: /dev/disk/by-partuuid/f5cxxx6f-ba72-46a6-9d05-cef326xxxd62
         File: └─/EFI/sled12/shim.efi

No suitable data is provided by the boot manager. See:
  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
for details.

For openSUSE (secure boot enabled) with windows preview;

# bootctl
System:
   Machine ID: 01xxx7c3c4784cxxxx2d4b7e96a34226
      Boot ID: 6afd1xxxx4d7644bfae9xxxx328438439
  Secure Boot: enabled
   Setup Mode: user

Selected Firmware Entry:
        Title: Windows Boot Manager
    Partition: /dev/disk/by-partuuid/8axx4d75-f8ce-4xx1-b094-57xxxxxx20ce
         File: └─/EFI/Microsoft/Boot/bootmgfw.efi

No suitable data is provided by the boot manager. See:
  http://www.freedesktop.org/wiki/Software/systemd/BootLoaderInterface
  http://www.freedesktop.org/wiki/Specifications/BootLoaderSpec
for details.

Both systems (HP probook 4440s) actually use the HP custom boot option
so both boot direct to openSUSE and SLED...

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 GNOME 3.10.1 Kernel 3.12.28-4-default
up 13 days 19:59, 5 users, load average: 0.02, 0.21, 0.23
CPU Intel® B840@1.9GHz | GPU Intel® Sandybridge Mobile


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

Johannes Segitz
In reply to this post by gregfreemyer
On Fri, Jan 16, 2015 at 10:02:08AM -0500, Greg Freemyer wrote:
> That's a big deal.

No, it's not, the overwhelming majority of users are not affected.

> Can you explain how to use bootctl for those of us
> that aren't familiar with it.?

Of course.

> I have a VM in the cloud running 13.1.  No idea if it is a secure
> config.  Using bootctl I get:

It is not. When you run bootctl there are three relevant scenarios:

1, You see "Secure Boot: enabled" in the output. Then you're using a secure
boot configuration and are affected. You should update shim and prepare in
advance so that you can confirm the dialog.

2, You see "Secure Boot: disabled" but you also see something like
Selected Firmware Entry:
        Title: opensuse-secureboot
    Partition: /dev/disk/by-partuuid/dddddddd-cccc-bbbb-aaaa-ffffffffffff
         File: └─/EFI/opensuse/shim.efi
Then you're not using secure boot but shim is used on your system nonetheless.
You can either update shim and prepare in advance so that you can confirm the
dialog or you switch to booting grub directly since you're not using secure
boot anyway.

3, You see "Secure Boot: disabled" and don't have "shim" in the next few
lines. It should like this
Selected Firmware Entry:
        Title: grub
    Partition: /dev/disk/by-partuuid/dddddddd-cccc-bbbb-aaaa-ffffffffffff
         File: └─/EFI/opensuse/grub.efi
you're not affected. You can update shim and won't notice the difference.
This will be the case for the vast majority of users.

Best regards,
Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE LINUX GmbH        Maxfeldstraße 5            90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

jdd@dodin.org
Le 16/01/2015 16:51, [hidden email] a écrit :
> On Fri, Jan 16, 2015 at 10:02:08AM -0500, Greg Freemyer wrote:

>> I have a VM in the cloud running 13.1.  No idea if it is a secure
>> config.  Using bootctl I get:
>
> It is not. When you run bootctl there are three relevant scenarios:
>

just for the record, is it possible to have secure boot in a VM?

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

Johannes Segitz
In reply to this post by gregfreemyer
On Fri, Jan 16, 2015 at 05:18:27PM +0100, jdd wrote:
> just for the record, is it possible to have secure boot in a VM?

It is, but it is very unlikely that you will encounter that.
http://blog.hansenpartnership.com/uefi-secure-boot/

Johannes
--
GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE LINUX GmbH        Maxfeldstraße 5            90409 Nürnberg, Germany
GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

jdd@dodin.org
In reply to this post by jdd@dodin.org
Le 19/01/2015 09:21, [hidden email] a écrit :
> On Fri, Jan 16, 2015 at 05:18:27PM +0100, jdd wrote:
>> just for the record, is it possible to have secure boot in a VM?
>
> It is, but it is very unlikely that you will encounter that.
> http://blog.hansenpartnership.com/uefi-secure-boot/

that's good, thanks. In fact there is no use right now, apart
experimentation, but in a very near future, when uefi will be standard,
legacy boot may be deprecated

thanks
jdd

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [security-announce] Upcoming update for shim requires confirmation on reboot

Carlos E. R.-2
On 2015-01-19 09:42, jdd wrote:
> that's good, thanks. In fact there is no use right now, apart
> experimentation, but in a very near future, when uefi will be standard,
> legacy boot may be deprecated

I hope not!

There are billions of "legacy boot" machines around.


--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment