Bug#1035118: linux-base: Presence of GPG signatures in /boot causes wrong kernels to be listed with linux-version
Package: linux-base
Version: 4.6
Severity: important
X-Debbugs-Cc: debian.627of@simplelogin.com
Dear Maintainer,
Grub2 supports additional secure boot capabilities that are not commonly used but are required for security. These new features are being referenced in some security guides online. An end user may sign their initrd.img and vmlinuz files with a GPG detached signature. See Grub2's manual, section 18.2 "Using digital signatures in GRUB" for details.
Presence of these detached signatures causes the "linux-version" script to return the .sig files as valid kernels. Thus, when something runs update-initramfs -u (which calls "linux-version list"), the initramfs script will ingest the output from linux-version and overwrite an initrd.sig file with an initramfs, as well as several other negative effects from not having the proper kernel modules available.
The impact is an unbootable system, where Grub attempts to boot the correct kernel, but the initrd.img is not updated with new data, and the signature for the original initrd.img is overwritten with improper data. System can be recovered by picking an old kernel in the grub bootloader.
Thank you
-- System Information:
Debian Release: 11.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (100, 'bullseye-fasttrack')
Architecture: amd64 (x86_64)
Kernel: Linux 6.2.13-stripes-1-s-1.58 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_RANDSTRUCT
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-base depends on:
ii debconf [debconf-2.0] 1.5.77
linux-base recommends no packages.
linux-base suggests no packages.
-- debconf information:
linux-base/removing-title:
linux-base/removing-running-kernel: true
Reply to: