Impact
On arm64 and riscv64, systemd-boot allows a local user to specify a device tree blob and loads it, even when secure boot mode is enabled when using type #1 BLS setups. DTBs are loaded and parsed by the kernel before ExitBootServices(), and the kernel itself disallows loading DTBs via the dtb= kernel command line option when secure boot is enabled.
This feature was introduced in v250 by: 6e86342bb82
As far as we are aware, there are no Shim-trusted arm64/riscv64 systemd-boot binaries published anywhere, so the severity and impact are low, as it affects only local self-signed secure boot deployments of systemd-boot on arm64/riscv64.
Patches
Fixed in main and 254.4 253.11 252.17 251.19 250.13
#29228
systemd/systemd-stable#324
systemd/systemd-stable#325
systemd/systemd-stable#326
systemd/systemd-stable#327
systemd/systemd-stable#328
Workarounds
Use type #2 BLS setups
References
#29228
julian-klode Reporter
Impact
On arm64 and riscv64, systemd-boot allows a local user to specify a device tree blob and loads it, even when secure boot mode is enabled when using
type #1BLS setups. DTBs are loaded and parsed by the kernel before ExitBootServices(), and the kernel itself disallows loading DTBs via thedtb=kernel command line option when secure boot is enabled.This feature was introduced in v250 by: 6e86342bb82
As far as we are aware, there are no Shim-trusted arm64/riscv64 systemd-boot binaries published anywhere, so the severity and impact are low, as it affects only local self-signed secure boot deployments of systemd-boot on arm64/riscv64.
Patches
Fixed in main and 254.4 253.11 252.17 251.19 250.13
#29228
systemd/systemd-stable#324
systemd/systemd-stable#325
systemd/systemd-stable#326
systemd/systemd-stable#327
systemd/systemd-stable#328
Workarounds
Use
type #2BLS setupsReferences
#29228