1318667 – RHEL7.3: grub2-efi needs multiboot2 and relocator modules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1318667 - RHEL7.3: grub2-efi needs multiboot2 and relocator modules

Summary: RHEL7.3: grub2-efi needs multiboot2 and relocator modules

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	grub2
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	7.4
Assignee:	Tony Camuso
QA Contact:	Release Test Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-17 13:26 UTC by Tony Camuso
Modified:	2021-09-09 11:48 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-06 11:27:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Tony Camuso 2016-03-17 13:26:21 UTC

Description of problem:
Installed tboot on an efi system, and grub2-efi was unable to find multiboot2 or module2 commands.

Version-Release number of selected component (if applicable):
grub2-efi

How reproducible: 100%

Steps to Reproduce:
1. Install RHEL7.3 through UEFI
2. install tboot
3. Run grub2-mkconfig
4. Boot the tboot entry in the grub menu

Actual results:
grub cannot find multiboot2 or module2 commands.

Expected results:
Successful boot

Additional info:
When I installed grub2-efi-modules and copied the multiboot2.mod and relocator.mod files into the /boot/efi/EFI/redhat/x86_64-efi/ directory, I was able to boot through tboot. These files should be included in the grub2-efi build.

Comment 2 Tony Camuso 2016-03-28 11:35:37 UTC

After discussing this with the Red Hat grub maintainer and the Red Hat UEFI maintainer, we have concluded that tboot cannot be securely adapted to work with UEFI for the following reasons. 

If we made all the changes necessary to support tboot in EFI Secure Boot mode, there is the possibility that tboot would load a blacklisted kernel, because it checks with the TPM hardware for hashes, not with EFI for keys. This is a security regression from Secure Boot mode.

Also, the necessity to use the multiboot module in grub in order to load tboot presents another regression from Secure Boot mode.

Furthermore, tboot is specific to x86_64 hardware, so it is not a generic root-of-trust solution, whereas Secure Boot is. 

We are devising patches that will gracefully reject creating tboot stanzas in grub.cfg or even installing tboot on a system with an EFI partition, but they will not be ready in time for RHEL6.8. Meanwhile, we must advise against using tboot on systems installed with EFI partitions.

However, the tboot package continues to provide good security for legacy BIOS systems, and has been updated to include the latest upstream patches as of March 1, 2016, which fixes some known bugs. 

See advisory "RHBA-2016:22981-02 tboot bug fix and enhancement update".

Comment 3 nsun1 2016-04-05 21:35:33 UTC

UEFI secure boot is different from Intel TXT trusted boot.
Intel TXT trusted boot can boot from UEFI BIOS when UEFI is not in Secure mode.

Comment 4 Tony Camuso 2016-04-06 11:27:43 UTC

tboot with UEFI is unsupported. 

tboot cannot be loaded by grub2-efi without the addition of the multiboot2 and relocator grub2 modules. 

Red Hat as decided not to include these modules in the grub2-efii build, because multiboot2 presents a security risk. 

Furthermore, tboot could load an image that is blacklisted by Secure Boot, which presents yet another security threat.

If you have UEFI, use Secure Boot. Not only is it a more secure technology, it is more generic and can be deployed across different architectures without any architecture-specific provisioning.

Comment 5 nsun1 2016-04-06 16:12:21 UTC

Under UEFI, there are two modes, one is secure boot mode, another is non-secure boot mode.
In non-secure boot mode, tboot still can work with UEFI for platform trust and attestation, just like tboot in legacy BIOS environment.
in this way, we can provides more choices to end users for their security requirements.

Comment 6 Tony Camuso 2016-04-06 16:19:41 UTC

(In reply to nsun1 from comment #5)
> Under UEFI, there are two modes, one is secure boot mode, another is
> non-secure boot mode.
> In non-secure boot mode, tboot still can work with UEFI for platform trust
> and attestation, just like tboot in legacy BIOS environment.
> in this way, we can provides more choices to end users for their security
> requirements.

While this is true, grub2-efi does not contain the mutliboot2 module necessary to launch a kernel via tboot, due to the security compromise it introduces in Secure Boot mode. We are looking for a way to address this, but meanwhile we cannot say that we support it.

See https://access.redhat.com/articles/2217041

Comment 7 Greg Waines 2017-10-18 12:28:28 UTC

I understand your concern about multiboot2 presenting a security risk,
since this enables loading of multiboot-type modules that are not 
signature checked by SHIM.

However GRUB does support signature checking of loaded multiboot-type modules.
If this is enabled, does this address your concerns ?

i.e.
UEFI would check SHIM
SHIM would check GRUB (with multiboot built in)
GRUB would check tboot (loaded via multiboot )
GRUB would check kernel (loaded via multiboot, on request from tboot )

( i think ... apologize, i'm not a shim, grub, boot firmware expert )

Comment 8 Tony Camuso 2018-06-26 07:42:39 UTC

tboot does NOT work with UEFI in any RHEL.

There are no plans of which I am aware to install the necessary the multiboot modules in RHEL to do so.

Comment 9 Greg Waines 2018-06-26 11:11:32 UTC

Just fyi, the rationale for wanting tboot and UEFI Secure Boot to work together is as follows:
- UEFI Secure Boot provides a fairly easy way to administer Secure Boot Keys in order to provide secure booting of a server; i.e. typically with signature checks of shims, boot loaders, kernel and even kernel modules,
- tboot provides measurements and optional boot time checks of similar items; but also includes hardware bios type measurements.  These measurements are stored in PCR registers of TPM Security Device which can then be used as a source of info and mechanism for the server to interwork with Remote Attestation Servers.
- the downside of tboot is that the optional boot time checks, managed thru Launch Control Policies (LCP), are actually administratively difficult to manage ... at least compared to the management of Secure Boot keys for UEFI Secure Boot.

So the reason for looking for both tboot and UEFI Secure Boot was to get the best of both worlds, i.e.
- administratively easy management of secure booting of a server from UEFI Secure Boot, and
- support for secure measurements of ALL components of server, hardware up to application space, and support of Remote Attestation clients ... from tboot

Note You need to log in before you can comment on or make changes to this bug.