Bug 2300165 (CVE-2024-8105)

Summary: CVE-2024-8105 linux-firmware: PKfail secure boot bypass
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: pbrobinson, rkeshri
Target Milestone: ---Keywords: Security
Target Release: ---Flags: pbrobinson: needinfo? (rgatica)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The PKfail flaw was discovered in Secure Boot. It is a firmware supply-chain issue that affects hundreds of device models in the UEFI ecosystem. The Secure Boot "master key," known as the Platform Key, which manages the Secure Boot databases and maintains the chain of trust from firmware to the operating system, is often not replaced by OEMs or device vendors. This issue results in devices shipping with untrusted keys. This issue allows an attacker with access to the private part of the PK to bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2300167    
Bug Blocks:    

Description Robb Gatica 2024-07-26 22:00:43 UTC 
PKfail is a firmware supply-chain issue affecting hundreds of device models in the UEFI ecosystem. The problem arises from the Secure Boot "master key," known as the Platform Key (PK) in UEFI terminology, which is untrusted because it is generated by Independent BIOS Vendors (IBVs) and shared among different vendors.

This Platform Key, which manages the Secure Boot databases and maintains the chain of trust from firmware to the operating system, is often not replaced by OEMs or device vendors, resulting in devices shipping with untrusted keys.

An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).
Comment 2 Peter Robinson 2025-03-30 07:32:28 UTC 
Robb there is not a single UEFI firmware that ships as part of linux-firmware, they are generally shipped by the vendors through services such as LVFS, so I believe this report is completely incorrect/inaccurate, please provide more details as to why you think this is accurate?