grub wrongly booting via bios entry point instead of efi when secureboot disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
High
|
Julian Andres Klode | ||
Bionic |
Fix Released
|
High
|
Julian Andres Klode | ||
Eoan |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Julian Andres Klode |
Bug Description
[SRU Justification]
Currently, the Ubuntu patches for secureboot support will boot the kernel via the EFI stub ONLY if secureboot is enabled. This means that if secureboot is disabled, grub wrongly skips the kernel's EFI stub, resulting in buggy behavior (missing EFI fixups; lack of access to the TCG log).
When booted on EFI, grub should ALWAYS use the EFI protocol to boot the kernel, and only do a non-EFI boot as a fallback if the EFI stub is not available AND secureboot is not enabled.
Patches available at https:/
[Test case]
Boot kernel in secure boot and non-secure boot, check that
/proc/sys/
[Regression potential]
This changes behavior of how grub passes control to Linux kernels when secureboot is disabled on UEFI systems, which can result in arbitrary changes to the boot process up to and including failure to boot if there are bugs in the kernel EFI stub on some platforms. However, it is generally more correct to boot via the EFI stub and it's expected that most users are booting via the EFI stub on UEFI systems due to the ubiquity of SecureBoot by default on modern hardware, so having consistent behavior whether SecureBoot is on or off is likely to be the less buggy option generally.
Related branches
- Dimitri John Ledkov: Pending requested
-
Diff: 302 lines (+186/-30)7 files modifieddebian/.git-dpm (+2/-2)
debian/changelog (+3/-1)
debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+118/-0)
debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch (+25/-0)
debian/patches/series (+2/-0)
grub-core/loader/i386/efi/linux.c (+10/-6)
grub-core/loader/i386/linux.c (+26/-21)
Changed in grub2 (Ubuntu): | |
importance: | Undecided → High |
Changed in grub2 (Ubuntu Bionic): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
Changed in grub2 (Ubuntu Focal): | |
assignee: | nobody → Julian Andres Klode (juliank) |
Changed in grub2 (Ubuntu Bionic): | |
assignee: | nobody → Julian Andres Klode (juliank) |
Changed in grub2 (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
Changed in grub2 (Ubuntu Focal): | |
status: | Confirmed → Fix Committed |
description: | updated |
tags: | added: id-5e5426bcb01c166f228a5923 |
tags: | added: id-5e6a862ec339fd8702484ff4 |
Status changed to 'Confirmed' because the bug affects multiple users.