Bug 2300165 (CVE-2024-8105) - CVE-2024-8105 linux-firmware: PKfail secure boot bypass [NEEDINFO]
Summary: CVE-2024-8105 linux-firmware: PKfail secure boot bypass
Keywords:
Status: NEW
Alias: CVE-2024-8105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2300167
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-26 22:00 UTC by Robb Gatica
Modified: 2025-03-30 07:32 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
pbrobinson: needinfo? (rgatica)

Attachments (Terms of Use)

Description Robb Gatica 2024-07-26 22:00:43 UTC 
PKfail is a firmware supply-chain issue affecting hundreds of device models in the UEFI ecosystem. The problem arises from the Secure Boot "master key," known as the Platform Key (PK) in UEFI terminology, which is untrusted because it is generated by Independent BIOS Vendors (IBVs) and shared among different vendors.

This Platform Key, which manages the Secure Boot databases and maintains the chain of trust from firmware to the operating system, is often not replaced by OEMs or device vendors, resulting in devices shipping with untrusted keys.

An attacker with access to the private part of the PK can easily bypass Secure Boot by manipulating the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx).
Comment 2 Peter Robinson 2025-03-30 07:32:28 UTC 
Robb there is not a single UEFI firmware that ships as part of linux-firmware, they are generally shipped by the vendors through services such as LVFS, so I believe this report is completely incorrect/inaccurate, please provide more details as to why you think this is accurate?
Note You need to log in before you can comment on or make changes to this bug.