[Bug 1864533] Please test proposed package

Thu Mar 12 17:23:57 UTC 2020

Hello Steve, or anyone else affected,

Accepted grub2 into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.15
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1864533

Title:
  grub wrongly booting via bios entry point instead of efi when
  secureboot disabled

Status in grub2 package in Ubuntu:
  Fix Committed
Status in grub2 source package in Bionic:
  Fix Committed
Status in grub2 source package in Eoan:
  Fix Committed
Status in grub2 source package in Focal:
  Fix Committed

Bug description:
  [SRU Justification]
  Currently, the Ubuntu patches for secureboot support will boot the kernel via the EFI stub ONLY if secureboot is enabled.  This means that if secureboot is disabled, grub wrongly skips the kernel's EFI stub, resulting in buggy behavior (missing EFI fixups; lack of access to the TCG log).

  When booted on EFI, grub should ALWAYS use the EFI protocol to boot
  the kernel, and only do a non-EFI boot as a fallback if the EFI stub
  is not available AND secureboot is not enabled.

  Patches available at https://people.canonical.com/~chrisccoulson/grub-
  efi-fixes/

  [Test case]
  Boot kernel in secure boot and non-secure boot, check that
  /proc/sys/kernel/bootloader_{type,version} are the same (they'd be different if we booted via grub's own linux loader).

  [Regression potential]
  This changes behavior of how grub passes control to Linux kernels when secureboot is disabled on UEFI systems, which can result in arbitrary changes to the boot process up to and including failure to boot if there are bugs in the kernel EFI stub on some platforms.  However, it is generally more correct to boot via the EFI stub and it's expected that most users are booting via the EFI stub on UEFI systems due to the ubiquity of SecureBoot by default on modern hardware, so having consistent behavior whether SecureBoot is on or off is likely to be the less buggy option generally.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1864533/+subscriptions