[ubuntu-hardened] Fwd: Confused on GRUB2 version for 20.04.2 LTS

David F. df7729 at gmail.com
Tue Jun 22 00:32:50 UTC 2021 

I understand now.  grub2-unsigned (interestingly now, grub2 is getting
grub2-unsigned as well, maybe because I had the software updater
update?)

Thanks.

On Mon, Jun 21, 2021 at 2:02 PM Steve Beattie <sbeattie at ubuntu.com> wrote:
>
> Hi David,
>
> On Mon, Jun 21, 2021 at 08:10:29AM -0700, David F. wrote:
> > Well, I'm just wondering where 2.04-1ubuntu26.11 (now
> > 2.04-1ubuntu26.12) is coming from and if it has the required fixes?
>
> As Alex said, there are now three source packages that provide various
> elements of the grub bootloader in Ubuntu 20.04 LTS and other releases:
>
> - grub2-signed: this source is a byproduct of how artifact signing is
>   done in Ubuntu. It is origination of the actual signed grub2 efi
>   artifact packages:
>
>     grub-efi-amd64-signed
>     grub-efi-arm64-signed
>
>   These are the signed versions of the EFI binaries that are generated
>   from the grub2-unsigned source package.
>
>   You can find all the versions of this published in Ubuntu at:
>
>     https://launchpad.net/ubuntu/+source/grub2-signed
>
>   but given your situation these probably aren't relevant to you.
>
> - grub2-unsigned: this is the source that builds the EFI artifacts that
>   are later signed for inclusion in the grub2-signed package. The source
>   here contains the security fixes for the most recent round of GRUB2
>   security updates as well as the SBAT changes, etc. The intent here was
>   to have a common version of grub2 for UEFI secure boot across all the
>   supported releases of Ubuntu, include the 14.04 ESM and 16.04 ESM
>   releases.
>
>   This is probably the source that you want to base off of going
>   forward and can either be grabbed via `apt source grub2-unsigned`
>   in a focal vm/system, or from:
>
>     https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.2
>
>   And similarly, all the currently published versions are listed at
>
>     https://launchpad.net/ubuntu/+source/grub2-unsigned/
>
>   You can see what the publication history looks like and gain access to
>   the older intermediate versions that were only published to
>   focal-updates at:
>
>     https://launchpad.net/ubuntu/+source/grub2-unsigned/+publishinghistory
>
>   Specifically, the version that incorporated the security fixes and
>   SBAT metadata into the Ubuntu archive is
>
>     https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu42
>
>   Most of the subsequent updates had to do with packaging issues and
>   coordination of binary packages across the various Ubuntu releases.
>
> - grub2: this was the source package the previously generated the EFI
>   artifacts that would incorporated into the grub2-signed packages.
>   Going forward, it will *only* produce non-EFI artifacts; i.e.
>   artifacts only suitable for booting in PC BIOS environments. Because
>   of this, they do not include the most recent round of security
>   updates nor the SBAT metadata info.
>
>   Thus the changes in the 1ubuntu26.11 version are to stop building
>   the EFI binaries (because they are built in grub2-unsigned) and
>   1ubuntu26.12 was packaging changes to not break upgrades from
>   bionic/18.04.
>
> Fortunately for your situation, the base grub2 version in focal/20.04
> was already 2.04 and so rebasing on the changes in the version in
> 2.04-1ubuntu42 should hopefully not be too difficult.
>
> > We use Ubuntu's GRUB2 as the base (with additional patchs) for our boot
> > disk and UEFI booting and I already released based on 26.11 with the
> > new shim and .SBAT.   BTW, objcopy corrupts the binaries so I had to
> > write my old PE modifier (not sure what you're using for final builds
> > on your end).  Is that version up to date as it seems to have been
> > based on the release date?
>
> I'm not fully up to speed on what need to be done on the build changes
> to make it all work, but I don't see any updates to the binutils source
> package in focal that look to be relevant.
>
> > By the way, here are my GRUB2 patches (based on 2.02 but still applies
> > in 2.04) in case you want to implement them.  The small ones are to
> > fix the error message when issues arise otherwise the error code gets
> > modified before the condition of which message to show gets printed.
>
> Interesting, thanks, I'll point the relevant people at them.
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> --
> ubuntu-hardened mailing list
> ubuntu-hardened at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-hardened

More information about the ubuntu-hardened mailing list