EFI fallback binary should not be installed in --removable mode

Bug #1684341 reported by Mathieu Trudel-Lapierre on 2017-04-20
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Critical
Mathieu Trudel-Lapierre
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Critical
Mathieu Trudel-Lapierre

Bug Description

[Impact]
Building some images depending on calling grub-install --removable still installs fbx64.efi; which we don't want on removable media.

[Test case]
On an EFI system, run 'grub-install --removable --target=x86_64-efi'. Observe whether fbx64.efi is installed to /boot/efi/EFI/BOOT. It should not.

[Regression potential]
If any system is depending on running grub-install with --removable, and on fbx64.efi being installed in /boot/efi/EFI/BOOT; this would cause this assumption to fail -- leading to incorrect fallback behavior when BootEntries are not present on a system.

Failures to boot with "System BootOrder not found" errors should be considered a possible regression.

Any missing files in /boot/efi/EFI/BOOT or /boot/efi/EFI/ubuntu after install should be considered a potential regression of this update.

----

The patch I did to fix names for the new naming of shim binaries included the addition of fbx64.efi; but it was done wrong: fbx64.efi should only exist under \EFI\BOOT, it's not required in the "removable" path; except if we're trying to force installing to the removable path *too*.

In other words:
1) we normally don't want /EFI/ubuntu/fbx64.efi to exist;

and
a) on a desktop or server, we want /EFI/BOOT/fbx64.efi to exist (ie. installs without --removable, and with --force-extra-removable used when grub-install was called);
b) on removable media, we do not want /EFI/BOOT/fbx64.efi to exist (ie. when grub-installed is called with --removable).

Furthermore, the (a) case is probably not the typical case we want to run grub-install with. Calls to grub-install with --force-extra-removable probably should be limited to shim-signed's postinst.

In any case, let's move the fbx64.efi installation step to also_install_removable() in grub-installer to avoid installing it when it shouldn't be.

summary: - EFI fallback binary should only be installed in removable path
+ EFI fallback binary should only be installed in force-extra-removable
Changed in grub2 (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
status: Triaged → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
milestone: none → ubuntu-17.05
description: updated
summary: - EFI fallback binary should only be installed in force-extra-removable
+ EFI fallback binary should not be installed in --removable mode
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu3

---------------
grub2 (2.02~beta3-4ubuntu3) artful; urgency=medium

  * debian/patches/install_signed.patch, grub-install-extra-removable.patch:
    - Make sure if we install shim; it should also be exported as the default
      bootloader to install later to a removable path, if we do.
    - Rework grub-install-extra-removable.patch to reverse its logic: in the
      default case, install the bootloader to /EFI/BOOT, unless we're trying
      to install on a removable device, or explicitly telling grub *not* to
      do it.
    - Move installing fb$arch.efi to --no-extra-removable; as we don't want
      fallback to be installed unless we're also installing to /EFI/BOOT.
      (LP: #1684341)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 26 Apr 2017 21:08:22 -0400

Changed in grub2 (Ubuntu):
status: In Progress → Fix Released
Changed in cloud-images:
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu Trusty):
status: New → Confirmed
Changed in grub2 (Ubuntu Xenial):
status: New → Confirmed
Changed in grub2 (Ubuntu Yakkety):
status: New → Confirmed

An upload of grub2 to xenial-proposed has been rejected from the upload queue for the following reason: "SRU should handle removal of /boot/efi/EFI/ubuntu/fb$arch.efi on disk".

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.66.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

An upload of grub2 to yakkety-proposed has been rejected from the upload queue for the following reason: "needs upgrade handling to remove /boot/efi/EFI/ubuntu/fbx64.efi".

looks like this change broke the installation process of grub-pc_2.02~beta2-36ubuntu3.10 for me (syntax-error in grub-pc.postinst). Please see bug #1692175, which is for grub-efi-amd64 2.02~beta2-36ubuntu3.10 but I believe the file might be the same anyway.

Side question: How do you link two bugs as related if they're not duplicates?

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of grub2 from xenial-proposed was performed and bug 1692181 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1692181 (not this bug). Thanks!

tags: added: verification-failed
tags: removed: verification-failed

Hello Mathieu, or anyone else affected,

Accepted grub2 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta3-4ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Zesty):
status: In Progress → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu11.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Yakkety):
status: Confirmed → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.80.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.74.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification done on xenial:

Preparing to unpack .../grub-efi-amd64-signed_1.66.11+2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.66.11+2.02~beta2-36ubuntu3.11) over (1.66.9+2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-efi-amd64_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub2-common_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub2-common (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-efi-amd64-bin_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-common_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-common (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...

I've verified that the fbx64.efi file is indeed no longer installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.11

---------------
grub2 (2.02~beta2-36ubuntu3.11) xenial; urgency=medium

  * Fix syntax error in debian/postinst.in. (LP #1692181)

 -- Steve Langasek <email address hidden> Sat, 20 May 2017 12:59:17 -0700

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released

Verification done for yakkety:

Preparing to unpack .../0-grub-efi-amd64-signed_1.74.3+2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.74.3+2.02~beta2-36ubuntu11.3) over (1.74.2+2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../1-grub-efi-amd64_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../2-grub2-common_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub2-common (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../3-grub-efi-amd64-bin_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../4-grub-common_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-common (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...

I have verified that the fbx64.efi file is no longer installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-yakkety

Verification done for zesty:

Preparing to unpack .../grub-efi-amd64-signed_1.80.1+2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.80.1+2.02~beta3-4ubuntu2.1) over (1.80+2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-efi-amd64_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub2-common_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub2-common (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-efi-amd64-bin_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-common_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-common (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...

I have verified that fbx64.efi is no longer getting installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu2.1

---------------
grub2 (2.02~beta3-4ubuntu2.1) zesty; urgency=medium

  * debian/patches/install_signed.patch: don't install fb$arch.efi; it breaks
    "removable" installs where files are all installed to /EFI/BOOT; and it
    also doesn't belong in the /EFI/ubuntu path for the default case. Fallback
    install simply needs more work and isn't ready for SRU. (LP: #1684341)
  * debian/postinst.in: clean up fb$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 24 May 2017 16:25:17 -0400

Changed in grub2 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu11.3

---------------
grub2 (2.02~beta2-36ubuntu11.3) yakkety; urgency=medium

  * debian/patches/install_signed.patch: don't install fb$arch.efi; it breaks
    "removable" installs where files are all installed to /EFI/BOOT; and it
    also doesn't belong in the /EFI/ubuntu path for the default case. Fallback
    install simply needs more work and isn't ready for SRU. (LP: #1684341)
  * debian/postinst.in: clean up fb$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 May 2017 18:26:30 -0400

Changed in grub2 (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Scott Moser (smoser) on 2017-06-28
no longer affects: cloud-images
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers