[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable

Ɓukasz Zemczak 1930742 at bugs.launchpad.net
Mon Jul 19 12:36:16 UTC 2021 

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.33.1~16.04.10 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
xenial to verification-done-xenial. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-xenial. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags removed: verification-done verification-done-xenial
** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1930742

Title:
  cloud images in xenial do not get their boot path updated because we
  don't call grub-install --force-extra-removable

Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2-unsigned package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Invalid
Status in grub2-signed source package in Xenial:
  Fix Released
Status in grub2-unsigned source package in Xenial:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Bionic:
  Fix Released
Status in grub2-unsigned source package in Bionic:
  Fix Released
Status in shim-signed source package in Bionic:
  Invalid

Bug description:
  [Impact]
  Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi.

  The fact that \EFI\boot is not updated on xenial cloud images is ALSO
  an issue on amd64 - it doesn't lead to a boot failure there because we
  do support secureboot on xenial/amd64, so the bootloader doesn't
  depend on loading modules from /boot/grub; however, \EFI\boot not
  being uploaded means that the systems still do not benefit from the
  updated grub, AND are subject to boot failures in the future due to
  the fact that the old shim has been revoked by Microsoft and these
  revocations may propagate to the cloud instance's revocation database
  in nvram, one way or another.

  [Test Case]
  - Boot an arm64 Ubuntu image in AWS
  - Enable -proposed
  - Upgrade the grub-efi-amd64 package
  - Reboot
  - Verify that the system comes up

  - Boot an amd64 Ubuntu image in GCE
  - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - Enabled -proposed
  - Upgrade the grub-efi-amd64-signed package
  - Reboot
  - Verify that the system comes up
  - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
  - Upgrade the shim-signed package
  - Reboot
  - Verify that the system comes up

  [Where problems could occur]
  Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade.  This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting).  In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series.  If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU.

  The risk of this causing a problem for users is mitigated on bionic by
  the fact that all the most recent install media for Ubuntu 18.04 also
  install shim+grub to the removable path, so this is already the
  default behavior.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions

More information about the foundations-bugs mailing list