[Bug 1565950] Re: Grub 2 fails to boot a kernel on a luks encrypted volume with Secure Boot enabled
Launchpad Bug Tracker
1565950 at bugs.launchpad.net
Wed Mar 6 15:20:47 UTC 2019
This bug was fixed in the package grub2 - 2.02+dfsg1-12ubuntu1
---------------
grub2 (2.02+dfsg1-12ubuntu1) disco; urgency=medium
* Merge against Debian unstable; remaining changes (LP: #564853):
- debian/control: Update Vcs fields for code location on Ubuntu.
- debian/control: Breaks shim (<< 13).
- Secure Boot support: use newer patchset from rhboot repo:
- many linuxefi_* patches added and modified
- dropped debian/patches/linuxefi_require_shim.patch
- renamed: debian/patches/no_insmod_on_sb.patch ->
debian/patches/linuxefi_no_insmod_on_sb.patch
- debian/patches/install_signed.patch, grub-install-extra-removable.patch:
- Make sure if we install shim; it should also be exported as the default
bootloader to install later to a removable path, if we do.
- Rework grub-install-extra-removable.patch to reverse its logic: in the
default case, install the bootloader to /EFI/BOOT, unless we're trying
to install on a removable device, or explicitly telling grub *not* to
do it.
- Install a BOOT.CSV for fallback to use.
- Make sure postinst and templates know about the replacement of
--force-extra-removable with --no-extra-removable.
- debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
--auto-nvram option to grub-install for auto-detecting NVRAM availability
before attempting NVRAM updates.
- debian/build-efi-images: provide a new grub EFI image which enforces that
loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
the same as grub$arch.efi minus the 'linux' module. Without fallback to
'linux' for unsigned loading, this makes it effectively enforce having a
signed kernel.
- Verify that the current and newer kernels are signed when grub is
updated, to make sure people do not accidentally shutdown without a
signed kernel.
- debian/default/grub: replace GRUB_HIDDEN_* variables with the less
confusing GRUB_TIMEOUT_STYLE=hidden.
- debian/patches/support_initrd-less_boot.patch: Added knobs to allow
non-initrd boot config.
- Disable os-prober for ppc64el on the PowerNV platform, to reduce the
number of entries/clutter from other OSes in Petitboot
- debian/patches/shorter_version_info.patch: Only show the upstream version
in menu and console, and hide the package one in a package_version
variable.
- debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
'text' payload if it's not supported but present in gfxpayload, such as
on EFI systems.
- debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
fizes as block sizes in bufio: this avoids potentially seeking back in
the files unnecessarily, which may require re-open files that cannot be
seeked into, such as via TFTP.
- debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
structs in bootpath parser.
- debian/rules: shuffle files around for now to keep build artefacts
for signing at the same location as they were expected by Launchpad.
- debian/rules, debian/control: enable dh-systemd.
- debian/grub-common.install.in: install the systemd unit that's part of
initrd fallback handling, missed when the feature landed.
- debian/patches/quick-boot-lvm.patch: If we don't have writable
grubenv and we're on EFI, always show the menu.
- debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
leaves a trace of what files were sourced to help generate the config
we're building.
- debian/patches/linuxefi_truncate_overlong_reloc_section.patch: Windows
7 bootloader has inconsistent headers; truncate to the smaller, correct
size to fix chainloading Windows 7.
- debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
relocate_coff() causing issues with relocation of code in chainload.
- debian/patches/add-initrd-less-boot-fallback.patch: add initrd-less
capabilities. If a kernel fails to boot without initrd, we will fallback
to trying to boot the kernel with an initrd. Patch by Chris Glass.
- debian/patches/grub-reboot-warn.patch: Warn when "for the next
boot only" promise cannot be kept.
* Refreshed patches and fixed up attribution to the right authors after
merge with Debian.
* debian/patches/linuxefi_missing_include.patch,
debian/patches/linuxefi_fixing_more_errors.patch: Apply some additional
small fixes to casts, format strings, includes and Makefile to make sure
the newer linuxefi patches apply and build properly.
grub2 (2.02+dfsg1-12) unstable; urgency=medium
[ Colin Watson ]
* Remove code to migrate grub-pc/install_devices to persistent device
names under /dev/disk/by-id/. This migration happened in
1.98+20100702-1, which was in squeeze (four stable releases ago), so we
no longer need to carry around this complex code.
* Preserve previous answer to grub-pc/install_devices if we have to ask
grub-pc/install_devices_disks_changed and the user chooses not to
install to any devices, so that we can recover from temporary bugs that
cause /dev/disk/by-id/ paths to change (closes: #919029).
* debian/signing-template.json.in: Add trusted_certs key (empty, since
GRUB has no hardcoded list of trusted certificates).
* util: Detect more I/O errors (closes: #922741).
[ Leif Lindholm ]
* arm64/efi: Fix grub_efi_get_ram_base().
[ Steve McIntyre ]
* grub-install: Check for arm-efi as a default target (closes: #922104).
[ James Clarke ]
* osdep/freebsd: Fix partition calculation for EBR entries (closes:
#923253).
grub2 (2.02+dfsg1-11) unstable; urgency=medium
[ Colin Watson ]
* Apply patches from Alexander Graf to set arm64-efi code offset to
EFI_PAGE_SIZE (closes: #919012, LP: #1812317).
* Upgrade to debhelper v10.
* Set Rules-Requires-Root: no.
* Add help and ls modules to signed UEFI images (closes: #919955).
* Fix application of answers from dpkg-reconfigure to /etc/default/grub
(based loosely on a patch by Steve Langasek, for which thanks; closes:
#921702).
[ Steve McIntyre ]
* Make grub-efi-amd64-signed recommend shim-signed (closes: #919067).
[ Jeroen Dekkers ]
* Initialize keyboard in at_keyboard module init if keyboard is ready
(closes: #741464).
[ John Paul Adrian Glaubitz ]
* Include a.out header in assembly of sparc64 boot loader (closes:
#921249).
[ Hervé Werner ]
* Fix setup on Secure Boot systems where cryptodisk is in use (closes:
#917117).
[ Debconf translations ]
* [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018).
grub2 (2.02+dfsg1-10) unstable; urgency=medium
* Apply patch from Heinrich Schuchardt (mentioned in #916695 though
unrelated):
- grub-core/loader/efi/fdt.c: do not copy random memory
* Add luks modules to signed UEFI images (pointed out by Alex Griffin and
Hervé Werner; closes: #908162, LP: #1565950).
* Keep track of the previous version of /usr/share/grub/default/grub and
set UCF_FORCE_CONFFOLD=1 when running ucf if it hasn't changed; ucf
can't figure this out for itself since we apply debconf-based
customisations on top of the template configuration file (closes:
#812574, LP: #564853).
* Backport Xen PVH guest support from upstream (closes: #776450). Thanks
to Hans van Kranenburg for testing.
grub2 (2.02+dfsg1-9) unstable; urgency=medium
[ Colin Watson ]
* Sync Maintainer/Uploaders in debian/signing-template/control.in with the
main packaging.
* Tell reportbug to submit bug reports against unsigned packages rather
than generated signed packages.
* Update Homepage, debian/copyright Source, and debian/watch to use HTTPS.
* Move bash completions to /usr/share/bash-completion/completions/grub and
add appropriate symlinks (closes: #912852).
* Build with GCC 8 (closes: #915735).
[ Leif Lindholm ]
* Apply patch series (mostly) from upstream to switch the arm loader over
to use the arm64 loader code and improve arm/arm64 initrd handling
(closes: #907596, #909420, #915091).
[ Matthew Garrett ]
* Don't enforce Shim signature validation if Secure Boot is disabled.
grub2 (2.02+dfsg1-8) unstable; urgency=medium
* Revise grub-<platform>-bin and grub-<platform> package descriptions to
try to explain better how they fit together and which one should be used
(based loosely on work by Justin B Rye, for which thanks; closes:
#630224).
* Skip flaky grub_cmd_set_date test (closes: #906470).
* Work around bug in obsolete init-select package: add Conflicts/Replaces
from grub-common, and take over /etc/default/grub.d/init-select.cfg with
a no-op stub (thanks to Guillem Jover for the suggestion; closes:
#863801).
* Build-depend on dosfstools and mtools on non-Linux variants of
i386/amd64/arm64 as well, to match debian/rules.
* Cherry-pick from upstream:
- i386/linux: Add support for ext_lfb_base (LP: #1785033).
* Don't source /etc/default/grub.d/*.cfg in config maintainer scripts,
since otherwise we incorrectly merge settings from there into
/etc/default/grub (closes: #872637, LP: #1797894).
* Add xfs module to signed UEFI images (closes: #911147, LP: #1652822).
* Cope with / being on a ZFS root dataset (closes: #886178).
[ Debconf translations ]
* [sv] Swedish (Martin Bagge and Anders Jonsson; closes: #851964).
grub2 (2.02+dfsg1-7) unstable; urgency=medium
* Move kernel maintainer script snippets into grub2-common (thanks,
Bastian Blank; closes: #910959).
* Add cryptodisk and gcry_* modules to signed UEFI images (closes:
#908162, LP: #1565950).
* Remove dh_builddeb override to use xz compression; this has been the
default since dpkg 1.17.0.
grub2 (2.02+dfsg1-6) unstable; urgency=medium
* Only build *-signed packages on their native architecture for now, since
otherwise we end up with clashing source packages (closes: #906596).
* Refer to source packages in Built-Using, not binary packages (closes:
#907483).
-- Mathieu Trudel-Lapierre <cyphermox at ubuntu.com> Tue, 05 Mar 2019
17:05:09 -0500
** Changed in: grub2 (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1565950
Title:
Grub 2 fails to boot a kernel on a luks encrypted volume with Secure
Boot enabled
Status in grub2 package in Ubuntu:
Fix Released
Bug description:
Booting in UEFI Secure Boot requires that all code loaded up to and
including the OS kernel be signed. This includes all grub modules.
This is accomplished by including selected modules in a single signed
binary. However, the modules required for grub to use an encrypted
volume have been omitted from the binary package and therefore Ubuntu
cannot boot from an encrypted volume with Secure Boot enabled. This
can be corrected as follows.
The debian/build-efi-images file needs to have lines 136-140 changed from:
GRUB_MODULES="$CD_MODULES
lvm
mdraid09
mdraid1x
"
to:
GRUB_MODULES="$CD_MODULES
cryptodisk
gcry_arcfour
gcry_blowfish
gcry_camellia
gcry_cast5
gcry_crc
gcry_des
gcry_dsa
gcry_idea
gcry_md4
gcry_md5
gcry_rfc2268
gcry_rijndael
gcry_rmd160
gcry_rsa
gcry_seed
gcry_serpent
gcry_sha1
gcry_sha256
gcry_sha512
gcry_tiger
gcry_twofish
gcry_whirlpool
luks
lvm
mdraid09
mdraid1x
"
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1565950/+subscriptions
More information about the foundations-bugs
mailing list