Call for testing: grub 2.12 mantic PPA

Julian Andres Klode julian.klode at canonical.com
Thu Jul 27 16:50:34 UTC 2023


Hello party people,

grub 2.12~rc1-4~ubuntu1~ppa1 is now available in the Ubuntu
development PPA for testing, signed with the PPA signing
key.

https://launchpad.net/~ubuntu-uefi-team/+archive/ubuntu/ppa/+packages

I have tested booting on my laptop and it's fine, but I've
specifically not gotten around to any arm64 or riscv64 testing
or PC BIOS for that matter. Well I booted a kernel in arm64
qemu.

To test on a secure boot enabled machine, you have two
options:

1. Enroll the signing key using

    $ wget https://ppa.launchpadcontent.net/ubuntu-uefi-team/ppa/ubuntu/dists/mantic/main/uefi/grub2-amd64/2.12~rc1-4~ubuntu1~ppa1/control/uefi.crt
    $ openssl x509 -in uefi.crt -out uefi.der -outform DER
    $ sudo mokutil --import uefi.der

2. Just install it and enroll the specific binary by its hash. To
   do so, at boot after you get a seucrity violation, MokManager
   pops up and presents a menu.

   Select to enroll a hash, and navigate to EFI/ubuntu/grubx64.efi
   on your EFI system partition and enroll it.

I plan to do some more cleanup and release the -4 to Debian, and
have the final version go to mantic-proposed during the first half
of next week if signing works out and machines boot :)

Probably we'll then go tag it block-proposed for yet some more
time so we can do some more testing with signed binaries, but
have it in the archive to ease testing.

Known issues:

- Several UEFI networking patches have not yet been rebased to the
  new APIs in 2.12. Sadly the patches were not merged upstream when
  they were submitted :(

- Kernels older than 5.8 will not boot in full UEFI mode on
  amd64, but use the legacy entry points used by BIOS.

  This is because we are switching from the Red Hat loading
  code to the upstream loading code in our effort to make bold
  changes to be the first. OK realistically to get rid of a 20
  patch stack and 3 separate loader implementations.

  I have plans for a better workaround on x86, and the wonderful
  Ard Biesheuvel has backported the EFI stub with LoadFile2 support
  to the 5.4 kernel which we might want to pick for 20.04.

- Measurement changes may require followup changes to TPM
  sealing calculations, but not sure there are any

- Software

- The GRUB_FLAVOUR_ORDER feature used by OEM images is not yet
  supported. Support will be reinstated later this cycle to
  early next cycle. 

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en



More information about the ubuntu-devel mailing list