Commit 13ab598
add SbatLevel entry 2025051000 for PSA-2025-00012-1
From the advisory text:
> The NTFS fixes for the issues described in PSA-2025-00005-1 were reverted due
> to a regression. This was done under the assumption that the NTFS Grub module
> could not be loaded with Secure Boot enabled. However, this was not the case
> when the module was part of the monolithic GRUB EFI binary used in default
> setups that enable Secure Boot. To fix this, exclude the NTFS module from
> being part of the monolithic GRUB EFI binary.
This issue was specific to Proxmox variant of Grub 2.06 because:
- it contains a partial revert of the NTFS fixes from February 2025 that caused
regressions
- it contains NTFS in the list of modules to be included in the signed Grub
image
- it is still based on 2.06 with Debian's implementation of booting
This combination made the patch disallowing NTFS to be loaded while in lockdown
mode ineffective, as the module was built into the (signed) monolithic EFI
image used for booting.
We've released fixed Grub builds with our vendor specific SBAT level bumped to
`proxmox.grub,2`, as in this commit.
See https://forum.proxmox.com/threads/149331/page-2#post-782751
and rhboot/shim-review#467 (comment)
for details
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>1 parent 7670932 commit 13ab598
1 file changed
+7
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
125 | 125 | | |
126 | 126 | | |
127 | 127 | | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
| 132 | + | |
| 133 | + | |
| 134 | + | |
0 commit comments