[ubuntu-hardened] Fwd: Confused on GRUB2 version for 20.04.2 LTS
Steve Beattie
sbeattie at ubuntu.com
Mon Jun 21 21:00:47 UTC 2021
Hi David,
On Mon, Jun 21, 2021 at 08:10:29AM -0700, David F. wrote:
> Well, I'm just wondering where 2.04-1ubuntu26.11 (now
> 2.04-1ubuntu26.12) is coming from and if it has the required fixes?
As Alex said, there are now three source packages that provide various
elements of the grub bootloader in Ubuntu 20.04 LTS and other releases:
- grub2-signed: this source is a byproduct of how artifact signing is
done in Ubuntu. It is origination of the actual signed grub2 efi
artifact packages:
grub-efi-amd64-signed
grub-efi-arm64-signed
These are the signed versions of the EFI binaries that are generated
from the grub2-unsigned source package.
You can find all the versions of this published in Ubuntu at:
https://launchpad.net/ubuntu/+source/grub2-signed
but given your situation these probably aren't relevant to you.
- grub2-unsigned: this is the source that builds the EFI artifacts that
are later signed for inclusion in the grub2-signed package. The source
here contains the security fixes for the most recent round of GRUB2
security updates as well as the SBAT changes, etc. The intent here was
to have a common version of grub2 for UEFI secure boot across all the
supported releases of Ubuntu, include the 14.04 ESM and 16.04 ESM
releases.
This is probably the source that you want to base off of going
forward and can either be grabbed via `apt source grub2-unsigned`
in a focal vm/system, or from:
https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.2
And similarly, all the currently published versions are listed at
https://launchpad.net/ubuntu/+source/grub2-unsigned/
You can see what the publication history looks like and gain access to
the older intermediate versions that were only published to
focal-updates at:
https://launchpad.net/ubuntu/+source/grub2-unsigned/+publishinghistory
Specifically, the version that incorporated the security fixes and
SBAT metadata into the Ubuntu archive is
https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu42
Most of the subsequent updates had to do with packaging issues and
coordination of binary packages across the various Ubuntu releases.
- grub2: this was the source package the previously generated the EFI
artifacts that would incorporated into the grub2-signed packages.
Going forward, it will *only* produce non-EFI artifacts; i.e.
artifacts only suitable for booting in PC BIOS environments. Because
of this, they do not include the most recent round of security
updates nor the SBAT metadata info.
Thus the changes in the 1ubuntu26.11 version are to stop building
the EFI binaries (because they are built in grub2-unsigned) and
1ubuntu26.12 was packaging changes to not break upgrades from
bionic/18.04.
Fortunately for your situation, the base grub2 version in focal/20.04
was already 2.04 and so rebasing on the changes in the version in
2.04-1ubuntu42 should hopefully not be too difficult.
> We use Ubuntu's GRUB2 as the base (with additional patchs) for our boot
> disk and UEFI booting and I already released based on 26.11 with the
> new shim and .SBAT. BTW, objcopy corrupts the binaries so I had to
> write my old PE modifier (not sure what you're using for final builds
> on your end). Is that version up to date as it seems to have been
> based on the release date?
I'm not fully up to speed on what need to be done on the build changes
to make it all work, but I don't see any updates to the binutils source
package in focal that look to be relevant.
> By the way, here are my GRUB2 patches (based on 2.02 but still applies
> in 2.04) in case you want to implement them. The small ones are to
> fix the error message when issues arise otherwise the error code gets
> modified before the condition of which message to show gets printed.
Interesting, thanks, I'll point the relevant people at them.
--
Steve Beattie
<sbeattie at ubuntu.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20210621/0683e07c/attachment.sig>
More information about the ubuntu-hardened
mailing list