Ubuntu
grub-installer package

Backport UEFI Secure Boot support for Ubuntu 12.04.2

Bug #1075181 reported by Colin Watson
50
This bug affects 7 people
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Fix Released
High
Colin Watson
base-installer (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
debian-installer (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
grub-installer (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
grub2 (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
grub2-signed (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
linux-lts-quantal (Ubuntu)
Invalid
High
Unassigned
Precise
Fix Released
High
Andy Whitcroft
Ubuntu ubuntu-12.04.2
linux-meta-lts-quantal (Ubuntu)
Fix Released
High
Andy Whitcroft
Ubuntu ubuntu-12.04.2
linux-signed-lts-quantal (Ubuntu)
Invalid
High
Unassigned
Precise
Fix Released
High
Andy Whitcroft
Ubuntu ubuntu-12.04.2
livecd-rootfs (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
sbsigntool (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Andy Whitcroft
Ubuntu ubuntu-12.04.2
shim (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
shim-signed (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
ubiquity (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2
ubuntu-defaults-builder (Ubuntu)
Fix Released
High
Unassigned
Precise
Fix Released
High
Colin Watson
Ubuntu ubuntu-12.04.2

Bug Description

[Impact]

Since systems are beginning to come out with UEFI Secure Boot enabled by default if they haven't already, we need to backport this support from 12.10 to 12.04.2. This is a complex set of enablement patches across a number of packages. Most of them will be fairly straightforward backports, but there are a few known warts:

 * The grub2 support was built on 2.00, and depends on first backporting a number of other patches (mostly Unicode handling changes and UEFI variable support) to 1.99.
 * 12.04.2 will have an alternate install image, which was removed from 12.10. Installer support here should be mostly the same as for the server image, but we have stricter space constraints and may need to adjust the way the signed kernel is delivered to deal with this. Andy Whitcroft and I have a plan for this which we'll implement between us in raring.

[Test Case]

The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, use debsums to check that kernel checksums are correct.

[Regression Potential]

Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.

Colin Watson (cjwatson)
Changed in grub2 (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in grub2 (Ubuntu Precise):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Colin Watson (cjwatson)
milestone: none → ubuntu-12.04.2
Changed in grub2-signed (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in grub2-signed (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
milestone: none → ubuntu-12.04.2
Changed in linux (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: New → Triaged
tags: added: bot-stop-nagging
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in linux (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
assignee: nobody → Andy Whitcroft (apw)
Changed in grub2-signed (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
Changed in linux-signed (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in linux-signed (Ubuntu Precise):
status: New → Triaged
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
milestone: none → ubuntu-12.04.2
Changed in grub-installer (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in grub-installer (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
status: New → Triaged
Changed in sbsigntool (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in grub-installer (Ubuntu Precise):
milestone: none → ubuntu-12.04.2
Changed in sbsigntool (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Colin Watson (cjwatson)
Changed in ubuntu-cdimage:
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
status: New → Triaged
Changed in base-installer (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in base-installer (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Changed in ubiquity (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in ubiquity (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Colin Watson (cjwatson)
Changed in debian-installer (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in debian-installer (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
assignee: nobody → Colin Watson (cjwatson)
Joseph Salisbury (jsalisbury)
tags: added: kernel-da-key
Andy Whitcroft (apw)
Changed in linux-signed (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson)
Changed in shim (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in shim (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Changed in shim-signed (Ubuntu):
status: New → Fix Released
Changed in shim-signed (Ubuntu Precise):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Changed in shim-signed (Ubuntu):
importance: Undecided → High
Andy Whitcroft (apw)
affects: linux (Ubuntu) → linux-lts-quantal (Ubuntu)
Changed in linux-lts-quantal (Ubuntu):
status: Fix Released → Invalid
Revision history for this message
Andy Whitcroft (apw) wrote :

Enabled generation of signable images linux-lts-quantal.

Changed in linux-lts-quantal (Ubuntu Precise):
status: Triaged → Fix Committed
Colin Watson (cjwatson)
Changed in base-installer (Ubuntu Precise):
status: Triaged → In Progress
Andy Whitcroft (apw)
Changed in linux-signed (Ubuntu):
assignee: nobody → Andy Whitcroft (apw)
status: Fix Released → In Progress
Colin Watson (cjwatson)
Changed in livecd-rootfs (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in livecd-rootfs (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Changed in ubuntu-defaults-builder (Ubuntu):
importance: Undecided → High
status: New → Fix Released
Changed in ubuntu-defaults-builder (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Triaged
Revision history for this message
Colin Watson (cjwatson) wrote :

I've copied shim with binaries directly from quantal to precise-proposed, since the binary package has no dependencies and we don't want to rebuild shim unnecessarily. It's awaiting approval in the queue.

Changed in shim (Ubuntu Precise):
assignee: nobody → Colin Watson (cjwatson)
status: Triaged → In Progress
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Colin, or anyone else affected,

Accepted grub2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2/1.99-21ubuntu3.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in linux-lts-quantal-signed (Ubuntu Precise):
assignee: nobody → Andy Whitcroft (apw)
milestone: none → ubuntu-12.04.2
Adam Conrad (adconrad)
no longer affects: linux-signed (Ubuntu)
no longer affects: linux-signed (Ubuntu Precise)
Changed in linux-lts-quantal-signed (Ubuntu Precise):
status: New → In Progress
Colin Watson (cjwatson)
Changed in grub2-signed (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson)
Changed in shim-signed (Ubuntu Precise):
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Colin Watson (cjwatson)
Changed in grub-installer (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson)
Changed in ubuntu-defaults-builder (Ubuntu Precise):
status: Triaged → In Progress
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted grub2-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2-signed/1.9~ubuntu12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted ubuntu-defaults-builder into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubuntu-defaults-builder/0.31.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubuntu-defaults-builder (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in grub-installer (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted grub-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub-installer/1.68ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in base-installer (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted base-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/base-installer/1.122ubuntu7.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux-lts-quantal-signed (Ubuntu):
status: New → Confirmed
Andy Whitcroft (apw)
Changed in sbsigntool (Ubuntu Precise):
assignee: nobody → Andy Whitcroft (apw)
status: Triaged → In Progress
Andy Whitcroft (apw)
Changed in sbsigntool (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Uploaded an sbsigntool backport to precise-proposed, once this is published linux-lts-quantal-signed should be unblocked.

Andy Whitcroft (apw)
Changed in shim (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in shim-signed (Ubuntu Precise):
status: In Progress → Fix Committed
Andy Whitcroft (apw)
affects: linux-lts-quantal-signed (Ubuntu) → linux-signed-lts-quantal (Ubuntu)
Changed in linux-signed-lts-quantal (Ubuntu):
importance: Undecided → High
status: Confirmed → Invalid
Changed in linux-signed-lts-quantal (Ubuntu Precise):
importance: Undecided → High
status: In Progress → Fix Committed
Revision history for this message
Herton R. Krzesinski (herton) wrote :

Since linux-signed-lts-quantal built succesfuly againt linux-lts-quantal in precise, this is verified for the kernel SRU workflow.

tags: added: verification-done-precise
Colin Watson (cjwatson)
Changed in debian-installer (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson)
Changed in livecd-rootfs (Ubuntu Precise):
status: Triaged → In Progress
Colin Watson (cjwatson)
Changed in ubiquity (Ubuntu Precise):
status: Triaged → In Progress
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted livecd-rootfs into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/livecd-rootfs/2.65.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in livecd-rootfs (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted ubiquity into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubiquity/2.10.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ubiquity (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted debian-installer into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/debian-installer/20101020ubuntu136.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in debian-installer (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Peter Meiser (meiser79) wrote :

Just a question: Why aren't the linux-tools packages built with the lts-quantal backport?

Revision history for this message
Colin Watson (cjwatson) wrote :

No idea - but please file a separate bug if this is important to you. They aren't required for the UEFI Secure Boot work.

Revision history for this message
Colin Watson (cjwatson) wrote :

I believe that the necessary cdimage/debian-cd/seed changes are now backported and deployed. I'm smoke-testing the initial batch of images now and it wouldn't surprise me to find the odd bug (I know that the images are currently larger than intended, for instance), but I'll fix those as I run into them.

Changed in ubuntu-cdimage:
status: Triaged → Fix Released
Andy Whitcroft (apw)
Changed in linux-meta-lts-quantal (Ubuntu):
importance: Undecided → High
no longer affects: linux-meta-lts-quantal (Ubuntu)
no longer affects: linux-meta-lts-quantal (Ubuntu)
no longer affects: linux (Ubuntu)
Adam Conrad (adconrad)
no longer affects: hello (Ubuntu)
Revision history for this message
Andy Whitcroft (apw) wrote :

I would create a P task for linux-meta-lts-quantal but they don't work on this bug any more. Sigh.

Andy Whitcroft (apw)
Changed in linux-meta-lts-quantal (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-12.04.2
status: New → Fix Committed
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Colin Watson (cjwatson) wrote :

Hello Colin, or anyone else affected,

Accepted linux-meta-lts-quantal into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/linux-meta-lts-quantal/linux-meta-lts-quantal in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted livecd-rootfs into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/livecd-rootfs/2.65.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-quantal - 3.5.0-19.30~precise1

---------------
linux-lts-quantal (3.5.0-19.30~precise1) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1078677

  [ Andy Whitcroft ]

  * UBUNTU: ensure we build signed packages for precise
    - LP: #1075181
  * [Config] update Vcs-git: to point to quantal
    - LP: #1069204

  [ Joseph Salisbury ]

  * SAUCE: ALSA: hda - add quirk for Thinkpad T430
    - LP: #1060372

  [ Tim Gardner ]

  * [Config] CONFIG_USB_OTG=n for all but armel/armhf
    - LP: #1047527
  * [Config] remove ndiswrapper from Provides:
    - LP: #1076395
  * [Config] ONFIG_AMD_IOMMU_V2=m
    - LP: #1071520

  [ Upstream Kernel Changes ]

  * kernel/sys.c: fix stack memory content leak via UNAME26
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * use clamp_t in UNAME26 fix
    - LP: #1065622, #1060521
    - CVE-2012-0957
  * net: fix divide by zero in tcp algorithm illinois
    - LP: #1077091
    - CVE-2012-4565

  [ Wen-chien Jesse Sung ]

  * SAUCE: Bluetooth: Add a load_firmware callback to struct hci_dev
    - LP: #1065400
  * SAUCE: Bluetooth: Implement broadcom patchram firmware loader
    - LP: #1065400
  * SAUCE: Bluetooth: Add support for 13d3:3388 and 13d3:3389
    - LP: #1065400
 -- Luis Henriques <email address hidden> Wed, 14 Nov 2012 11:55:55 +0000

Changed in linux-lts-quantal (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-meta-lts-quantal - 3.5.0.19.26

---------------
linux-meta-lts-quantal (3.5.0.19.26) precise-proposed; urgency=low

  * Add -signed packages for generic on amd64. (LP: #1075181)
 -- Andy Whitcroft <email address hidden> Fri, 23 Nov 2012 17:36:48 +0000

Changed in linux-meta-lts-quantal (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted ubiquity into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/ubiquity/2.10.22 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Colin, or anyone else affected,

Accepted livecd-rootfs into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/livecd-rootfs/2.65.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted livecd-rootfs into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/livecd-rootfs/2.65.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted grub2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2/1.99-21ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted grub2 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2/1.99-21ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Colin, or anyone else affected,

Accepted grub2-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2-signed/1.9~ubuntu12.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu1~12.04.1

---------------
sbsigntool (0.6-0ubuntu1~12.04.1) precise-proposed; urgency=low

  * Backport to precise to support secure boot for 12.04.02. LP: #1075181.
 -- Andy Whitcroft <email address hidden> Mon, 19 Nov 2012 11:15:38 +0000

Changed in sbsigntool (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

This all seems to be basically working now. We'll fix up any remaining consequential problems separately.

tags: added: verification-done
removed: verification-done-precise verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub-installer - 1.68ubuntu5.1

---------------
grub-installer (1.68ubuntu5.1) precise-proposed; urgency=low

  * If the SecureBoot EFI variable is set, then install
    grub-efi-amd64-signed rather than grub-efi, along with shim-signed if
    available; adjust removal handling to match (LP: #1075181).
 -- Colin Watson <email address hidden> Mon, 12 Nov 2012 00:55:04 +0000

Changed in grub-installer (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package base-installer - 1.122ubuntu7.2

---------------
base-installer (1.122ubuntu7.2) precise-proposed; urgency=low

  * On amd64/efi, install a signed kernel if the SecureBoot variable is set
    (LP: #1075181).
 -- Colin Watson <email address hidden> Wed, 07 Nov 2012 10:48:05 +0000

Changed in base-installer (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package livecd-rootfs - 2.65.5

---------------
livecd-rootfs (2.65.5) precise-proposed; urgency=low

  * Make sure the $PREFIX.kernel-$FLAVOUR.efi.signed output is
    world-readable.

livecd-rootfs (2.65.4) precise-proposed; urgency=low

  * live-build/auto/config: Convince live-build to use the
    -generic-lts-quantal kernels on Ubuntu/Edubuntu amd64/i386.

livecd-rootfs (2.65.3) precise-proposed; urgency=low

  * live-build/auto/config: Manually add linux-signed-generic-lts-quantal to
    Ubuntu/Edubuntu amd64 builds, since nothing deals with updating Task
    fields in the archive post-release.

livecd-rootfs (2.65.2) precise-proposed; urgency=low

  * live-build/auto/build: If they exist, link *.efi.signed versions of the
    kernel to binary/$INITFS/kernel-$FLAVOUR.efi.signed (LP: #1075181).
 -- Colin Watson <email address hidden> Tue, 04 Dec 2012 16:21:46 +0000

Changed in livecd-rootfs (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-defaults-builder - 0.31.2

---------------
ubuntu-defaults-builder (0.31.2) precise-proposed; urgency=low

  * bin/ubuntu-defaults-image: If a *.efi.signed kernel image is present,
    copy it to binary/casper/vmlinuz.efi (LP: #1075181).
 -- Colin Watson <email address hidden> Mon, 12 Nov 2012 17:23:31 +0000

Changed in ubuntu-defaults-builder (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debian-installer - 20101020ubuntu136.5

---------------
debian-installer (20101020ubuntu136.5) precise-proposed; urgency=low

  * Move to 3.2.0-34 kernels.
  * Move armel/omap4 and armhf/omap4 to 3.2.0-1421 kernels.
  * Move armhf/armadaxp to 3.2.0-1610 kernels.
  * Add quantal images for amd64 and i386, built with the lts-quantal kernel
    (3.5.0-18) and configured to install it (LP: #1079797).
  * Use signed GRUB and (for quantal) kernel images on amd64 (LP: #1075181).
 -- Colin Watson <email address hidden> Wed, 21 Nov 2012 17:36:21 +0000

Changed in debian-installer (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubiquity - 2.10.23

---------------
ubiquity (2.10.23) precise-proposed; urgency=low

  * Honour base-installer/kernel/altmeta when deciding which kernels to
    install or keep installed.

ubiquity (2.10.22) precise-proposed; urgency=low

  [ Dmitrijs Ledkovs ]
  * Make user-setup-encrypted-swap wait until partitioning has finished
    before attempting to adjust /target/etc/fstab. (LP: #1024343)
    (LP: #1068178)

  [ Colin Watson ]
  * Don't remove kernel headers just because we're removing signed kernel
    images of the same flavour (LP: #1070427).

ubiquity (2.10.21) precise-proposed; urgency=low

  [ Colin Watson ]
  * Fix missing parentheses that caused removable installation media
    sometimes to be selected as the default GRUB device (LP: #987418).
  * Support UEFI Secure Boot (LP: #1075181):
    - Try to install a signed kernel if base-installer asks for one, and
      don't leave signed kernels installed if it doesn't.
    - If the SecureBoot EFI variable is set, then ensure that
      grub-efi-amd64-signed and shim-signed remain installed.
    - Copy the signed kernel from /cdrom if it is not in the squashfs. If
      there is a signed kernel there but no unsigned one, then use sbattach
      to remove the signature and construct the unsigned kernel on the fly.
  * Automatic update of included source packages: base-installer
    1.122ubuntu7.2, grub-installer 1.68ubuntu5.1.

  [ Mario Limonciello ]
  * Don't let oem-config crash from an invalid server return on the timezone
    page. (LP: #887879)

  [ Dmitrijs Ledkovs ]
  * Do not preseed grub-install, if we are not proceeding to install. This
    should fix ValueError, I/O operation on closed file (LP: #1027648)
    (LP: #792652)
  * Prevent progress label to expand & shrink the window (LP: #1046241)

  [ Jonathan Riddell ]
  * Change from a KApplication to a QApplication to avoid using DBus, DBus
    as needed by KApplication no longer works with our multiple user changes
    LP: #1055967
 -- Colin Watson <email address hidden> Thu, 06 Dec 2012 17:20:32 +0000

Changed in ubiquity (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.9~ubuntu12.04.2

---------------
grub2-signed (1.9~ubuntu12.04.2) precise-proposed; urgency=low

  * Build against grub-efi-amd64 1.99-21ubuntu3.7.

grub2-signed (1.9~ubuntu12.04.1) precise-proposed; urgency=low

  * Build against grub-efi-amd64 1.99-21ubuntu3.5 (LP: #1075181).

grub2-signed (1.9) quantal-proposed; urgency=low

  * Download the signed image from the correct pocket.

grub2-signed (1.8) quantal; urgency=low

  * Rebuild against grub-efi-amd64 2.00-7ubuntu11.

grub2-signed (1.7) quantal; urgency=low

  * Rebuild against grub-efi-amd64 2.00-7ubuntu10.

grub2-signed (1.6) quantal; urgency=low

  * Rebuild against grub-efi-amd64 2.00-7ubuntu9.

grub2-signed (1.5) quantal; urgency=low

  * Drop Depends back to grub-efi-amd64 (>= 2.00-7ubuntu4), which is good
    enough (grub-install extensions).
  * Build-depend on a current grub-efi-amd64-bin so that this upload can
    safely be accepted before grub2/amd64 binaries have published.
  * Rebuild against grub-efi-amd64 2.00-7ubuntu8.

grub2-signed (1.4) quantal; urgency=low

  * Rebuild against grub-efi-amd64 2.00-7ubuntu7.

grub2-signed (1.3) quantal; urgency=low

  * Rebuild against grub-efi-amd64 2.00-7ubuntu5.

grub2-signed (1.2) quantal; urgency=low

  [ Colin Watson ]
  * Include gcdx64.efi.signed.
  * Depend on grub-efi-amd64 so that /etc/default/grub and
    /boot/grub/grub.cfg are updated.
  * Run grub-install on configure if appropriate.

  [ Steve Langasek ]
  * Adjust makefile so gcdx64.efi.signed actually gets included in the
    package, not just downloaded.

grub2-signed (1.1) quantal; urgency=low

  * Add a Built-Using field, per policy 3.9.4.

grub2-signed (1.0) quantal; urgency=low

  * Initial release.
 -- Colin Watson <email address hidden> Mon, 10 Dec 2012 11:31:50 +0000

Changed in grub2-signed (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 1.99-21ubuntu3.7

---------------
grub2 (1.99-21ubuntu3.7) precise-proposed; urgency=low

  * Fix backport mistake that caused grub.cfg not to be created in $efidir
    if UEFI Secure Boot is enabled.
  * When installing to removable media with UEFI Secure Boot, install
    gcdx64.efi.signed rather than grubx64.efi.signed.
  * Make gcdx64.efi.signed fall back to sourcing $prefix/grub.cfg if
    $prefix/x86_64-efi/grub.cfg is missing, as is likely when using
    'grub-install --removable'.

grub2 (1.99-21ubuntu3.6) precise-proposed; urgency=low

  * Fix backport mistake in patch to install signed images if UEFI Secure
    Boot is enabled.

grub2 (1.99-21ubuntu3.5) precise-proposed; urgency=low

  * Backport several changes to support Secure Boot patches.
  * Add Secure Boot patches from Ubuntu 12.10 and Fedora (LP: #1075181):
    - Don't permit loading modules on UEFI secure boot.
    - Add efifwsetup module to reboot into firmware setup menu.
    - Add "linuxefi" loader which avoids ExitBootServices.
    - Only build linuxefi on amd64.
    - Make linuxefi refuse to boot without shim.
    - Make the linux module call linuxefi when necessary, simplifying
      configuration.
    - If secure boot is enabled and the kernel is signed, linux will call
      linuxefi to hand over to it without calling ExitBootServices.
    - Otherwise, linux will fall through to previous code, call
      ExitBootServices itself, and boot the kernel normally.
    - Change linuxefi to return GRUB_ERR_ACCESS_DENIED rather than
      GRUB_ERR_INVALID_COMMAND in the case of an invalid signature, to make
      it easier to implement different handling of unsigned kernels in
      future if necessary.
    - Generate configuration for signed UEFI kernels if available.
    - Install signed images if UEFI Secure Boot is enabled.
    - Output a menu entry for firmware setup on UEFI FastBoot systems.
    - Add some extra debugging to signed/unsigned kernel logic.
    - On amd64, build two images for signing: one with prefix /EFI/BOOT for
      use on removable media, and one with prefix /EFI/ubuntu (and with the
      lvm, mdraid09, and mdraid1x modules added) for use on fixed disks.
 -- Colin Watson <email address hidden> Mon, 10 Dec 2012 11:31:09 +0000

Changed in grub2 (Ubuntu Precise):
status: Fix Committed → Fix Released
Andy Whitcroft (apw)
Changed in linux-signed-lts-quantal (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

We copied shim and shim-signed from quantal to precise-updates some time ago.

Changed in shim (Ubuntu Precise):
status: Fix Committed → Fix Released
Changed in shim-signed (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.