[Bug 1341944] [NEW] 32-Bit UEFI bootloader support needed

ClairelyClaire claire at abettergeek.com
Tue Jul 15 04:01:09 UTC 2014 

*** This bug is a security vulnerability ***

Public security bug reported:

As of now, Ubuntu and other major Linux distributions do not support the
use of a 32-bit EFI bootloader on UEFI machines. This has become
extremely problematic due to the popularity of Intel Atom-based tablets
and compact laptops. Atom-based devices are generally limited in storage
space (32GB or 64GB eMMC is common), and as a result these devices
almost universally ship with Windows 8.1 32-bit installed (winsxs
consumes a significant amount of storage space in order to support
32-bit binaries in a 64-bit environment). By design, UEFI must use the
same architecture used by the bootloader.

While most modern computers indeed use a 64-bit UEFI implementation due
to the fact that new computers generally ship with a 64-bit operating
system (be it OS X or Windows 8.1), Atom-based devices do *not* use a
64-bit operating system or UEFI implementation. This is by design.

Intel released a new Atom iteration (Bay Trail) in late 2013 and has
indicated that they will continue to develop and release Atom CPUs due
to consumer market demand. At the time of this filing there are a number
of Atom-based tablets and compact laptops/netbooks being actively sold
and marketed by major OEMs including Dell, HP, ASUS, and Acer. None of
these devices have 64-bit UEFI firmware. It is also important to note
that these Atom CPUs are 64-bit, but explicitly require a 32-bit UEFI
bootloader.

The current Linux kernel in Ubuntu 14.04 does support booting the 64-bit
signed kernel from a 32-bit Grub EFI bootloader. I can confirm this on
at least two 32-bit UEFI devices, the ASUS Transformer T100TA and the
Acer Aspire Switch 10. Unfortunately, the lack of official 32-bit EFI
bootloader support in Ubuntu makes accomplishing this far from trivial
and beyond the capacity of many users new to Linux as an alternative to
Microsoft Windows.

This bug is currently marked as a security vulnerability due to the fact
that as of now, it is necessary to compile Grub2 32-bit EFI manually in
order to boot Linux. This negates the digital signature check that
allows keeping Secure Boot enabled on modern UEFI-based machines.

Considering the above, it is very important to include a 32-bit UEFI
bootloader as an update to Grub2 in Trusty and all future releases of
Ubuntu.

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: 32-bit efi uefi

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1341944

Title:
  32-Bit UEFI bootloader support needed

Status in “grub2” package in Ubuntu:
  New

Bug description:
  As of now, Ubuntu and other major Linux distributions do not support
  the use of a 32-bit EFI bootloader on UEFI machines. This has become
  extremely problematic due to the popularity of Intel Atom-based
  tablets and compact laptops. Atom-based devices are generally limited
  in storage space (32GB or 64GB eMMC is common), and as a result these
  devices almost universally ship with Windows 8.1 32-bit installed
  (winsxs consumes a significant amount of storage space in order to
  support 32-bit binaries in a 64-bit environment). By design, UEFI must
  use the same architecture used by the bootloader.

  While most modern computers indeed use a 64-bit UEFI implementation
  due to the fact that new computers generally ship with a 64-bit
  operating system (be it OS X or Windows 8.1), Atom-based devices do
  *not* use a 64-bit operating system or UEFI implementation. This is by
  design.

  Intel released a new Atom iteration (Bay Trail) in late 2013 and has
  indicated that they will continue to develop and release Atom CPUs due
  to consumer market demand. At the time of this filing there are a
  number of Atom-based tablets and compact laptops/netbooks being
  actively sold and marketed by major OEMs including Dell, HP, ASUS, and
  Acer. None of these devices have 64-bit UEFI firmware. It is also
  important to note that these Atom CPUs are 64-bit, but explicitly
  require a 32-bit UEFI bootloader.

  The current Linux kernel in Ubuntu 14.04 does support booting the
  64-bit signed kernel from a 32-bit Grub EFI bootloader. I can confirm
  this on at least two 32-bit UEFI devices, the ASUS Transformer T100TA
  and the Acer Aspire Switch 10. Unfortunately, the lack of official
  32-bit EFI bootloader support in Ubuntu makes accomplishing this far
  from trivial and beyond the capacity of many users new to Linux as an
  alternative to Microsoft Windows.

  This bug is currently marked as a security vulnerability due to the
  fact that as of now, it is necessary to compile Grub2 32-bit EFI
  manually in order to boot Linux. This negates the digital signature
  check that allows keeping Secure Boot enabled on modern UEFI-based
  machines.

  Considering the above, it is very important to include a 32-bit UEFI
  bootloader as an update to Grub2 in Trusty and all future releases of
  Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1341944/+subscriptions

More information about the foundations-bugs mailing list