[ubuntu-hardened] Fwd: Confused on GRUB2 version for 20.04.2 LTS

Steve Beattie sbeattie at ubuntu.com
Mon Jun 21 21:00:47 UTC 2021 

Hi David,

On Mon, Jun 21, 2021 at 08:10:29AM -0700, David F. wrote:
> Well, I'm just wondering where 2.04-1ubuntu26.11 (now
> 2.04-1ubuntu26.12) is coming from and if it has the required fixes?

As Alex said, there are now three source packages that provide various
elements of the grub bootloader in Ubuntu 20.04 LTS and other releases:

- grub2-signed: this source is a byproduct of how artifact signing is
  done in Ubuntu. It is origination of the actual signed grub2 efi
  artifact packages:

    grub-efi-amd64-signed
    grub-efi-arm64-signed

  These are the signed versions of the EFI binaries that are generated
  from the grub2-unsigned source package.

  You can find all the versions of this published in Ubuntu at:

    https://launchpad.net/ubuntu/+source/grub2-signed

  but given your situation these probably aren't relevant to you.

- grub2-unsigned: this is the source that builds the EFI artifacts that
  are later signed for inclusion in the grub2-signed package. The source
  here contains the security fixes for the most recent round of GRUB2
  security updates as well as the SBAT changes, etc. The intent here was
  to have a common version of grub2 for UEFI secure boot across all the
  supported releases of Ubuntu, include the 14.04 ESM and 16.04 ESM
  releases.

  This is probably the source that you want to base off of going
  forward and can either be grabbed via `apt source grub2-unsigned`
  in a focal vm/system, or from:

    https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.2

  And similarly, all the currently published versions are listed at

    https://launchpad.net/ubuntu/+source/grub2-unsigned/

  You can see what the publication history looks like and gain access to
  the older intermediate versions that were only published to
  focal-updates at:

    https://launchpad.net/ubuntu/+source/grub2-unsigned/+publishinghistory

  Specifically, the version that incorporated the security fixes and
  SBAT metadata into the Ubuntu archive is

    https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu42

  Most of the subsequent updates had to do with packaging issues and
  coordination of binary packages across the various Ubuntu releases.

- grub2: this was the source package the previously generated the EFI
  artifacts that would incorporated into the grub2-signed packages.
  Going forward, it will *only* produce non-EFI artifacts; i.e.
  artifacts only suitable for booting in PC BIOS environments. Because
  of this, they do not include the most recent round of security
  updates nor the SBAT metadata info.

  Thus the changes in the 1ubuntu26.11 version are to stop building
  the EFI binaries (because they are built in grub2-unsigned) and
  1ubuntu26.12 was packaging changes to not break upgrades from
  bionic/18.04.

Fortunately for your situation, the base grub2 version in focal/20.04
was already 2.04 and so rebasing on the changes in the version in
2.04-1ubuntu42 should hopefully not be too difficult.

> We use Ubuntu's GRUB2 as the base (with additional patchs) for our boot
> disk and UEFI booting and I already released based on 26.11 with the
> new shim and .SBAT.   BTW, objcopy corrupts the binaries so I had to
> write my old PE modifier (not sure what you're using for final builds
> on your end).  Is that version up to date as it seems to have been
> based on the release date?

I'm not fully up to speed on what need to be done on the build changes
to make it all work, but I don't see any updates to the binutils source
package in focal that look to be relevant.

> By the way, here are my GRUB2 patches (based on 2.02 but still applies
> in 2.04) in case you want to implement them.  The small ones are to
> fix the error message when issues arise otherwise the error code gets
> modified before the condition of which message to show gets printed.

Interesting, thanks, I'll point the relevant people at them.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20210621/0683e07c/attachment.sig>

More information about the ubuntu-hardened mailing list