Do not validate kernels twice
Bug #1964943 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* 2.06 grub + linuxefi patches submit kernel.efi for validation twice. Once via shim-lock protocol, and again directly.
* this results in duplicate measurements for vmlinuz on classic and kernel.efi on core and breaks measured & attested boot.
[Test Plan]
* Boot classic & core systems with this grub and decode pcr measurements using https:/
[Where problems could occur]
* People relying on measured/attested boot using pre-release jammy grub will experience a change of measurements, which is now becomming stable relative to focal once again.
Related branches
~xnox/grub:do-not-validate-twice
Merged
into
~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
at
revision f1786b635047cabdbac852094294e60547e9f4cf
- Ubuntu Core Development Team: Pending requested
-
Diff: 242 lines (+228/-0)2 files modifieddebian/patches/linuxefi-do-not-validate-kernels-twice.patch (+227/-0)
debian/patches/series (+1/-0)
Changed in grub2 (Ubuntu Jammy): | |
milestone: | none → ubuntu-22.04 |
To post a comment you must log in.
This bug was fixed in the package grub2 - 2.06-2ubuntu6
---------------
grub2 (2.06-2ubuntu6) jammy; urgency=medium
[ Heinrich Schuchardt ]
* efivar: check that efivarfs is writeable (LP: #1965288)
[ Dimitri John Ledkov ]
* Do not validate kernels twice. (LP: #1964943)
[ Heinrich Schuchardt ]
* efi: EFI Device Tree Fixup Protocol (LP: #1965796)
* fdt: add debug output to devicetree command
-- Julian Andres Klode <email address hidden> Fri, 25 Mar 2022 16:03:11 +0100