[Bug 1696599] [grub2-signed/zesty] possible regression found
Ubuntu Foundations Team Bug Bot
1696599 at bugs.launchpad.net
Thu Jun 22 19:37:18 UTC 2017
As a part of the Stable Release Updates quality process a search for
Launchpad bug reports using the version of grub2-signed from zesty-
proposed was performed and bug 1699790 was found. Please investigate
this bug report to ensure that a regression will not be created by this
SRU. In the event that this is not a regression remove the
"verification-failed" tag from this bug report and add the tag "bot-
stop-nagging" to bug 1699790 (not this bug). Thanks!
** Tags added: verification-failed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1696599
Title:
backport/sync UEFI, Secure Boot support
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Trusty:
New
Status in grub2-signed source package in Trusty:
New
Status in grub2 source package in Xenial:
Fix Committed
Status in grub2-signed source package in Xenial:
Fix Committed
Status in grub2 source package in Yakkety:
Fix Committed
Status in grub2-signed source package in Yakkety:
Fix Committed
Status in grub2 source package in Zesty:
Fix Committed
Status in grub2-signed source package in Zesty:
Fix Committed
Status in grub2 source package in Artful:
Fix Released
Status in grub2-signed source package in Artful:
Fix Released
Bug description:
[Impact]
Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb.
This SRU is handled as a wholesale "sync" with a known set of patches
rather than individual cherry-picks given the high risk in cherry-
picking individual changes; we do not want to risk subtly breaking
Secure Boot support or introducing a security issue due to using
different sets of patches across our currently supported releases.
Using a common set of patches across releases and making sure we're in
sync with "upstream" for that particular section of the grub2 codebase
(specifically, UEFI/SB support is typically outside the GNU GRUB tree)
allows us to make sure UEFI Secure Boot remains supportable and that
potential security issues are easy to fix quickly given the complexity
of the codebase.
This is a complex set of enablement patches; most of them will be
fairly straightforward backports, but there are a few known warts:
* The included patches are based on grub2 2.02~beta3; as such, some
patches require extra backporting effort of other pieces of the loader
code down to releases that do not yet include 2.02~beta3 code.
[Test Case]
The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).
Tests should include:
- booting with Secure Boot enabled
- booting with Secure Boot enabled, but shim validation disabled
- booting with Secure Boot disabled, but still in EFI mode
[Regression Potential]
Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions
More information about the foundations-bugs
mailing list