| 2017-05-10 01:28:46 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Xenial |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Xenial) |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Zesty |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Zesty) |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Artful |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Artful) |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Yakkety |
|
| 2017-05-10 01:29:02 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Yakkety) |
|
| 2017-05-10 02:13:52 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu Artful): status |
New |
In Progress |
|
| 2017-06-07 17:28:06 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu Artful): status |
In Progress |
Fix Released |
|
| 2017-06-14 19:06:56 |
Mathieu Trudel-Lapierre |
description |
GRUB currently fails SecureBoot validation (ie. calls to grub_linuxefi_secure_validate() fail) if shim's protocol is not installed when that function is called.
This currently breaks some kernel features relying on starting in the EFI stub code (ie. the kernel being loaded as an EFI binary); and instead falls back to the 'linux' command instead of 'linuxefi'. |
[Impact]
Users of UEFI Secure Boot that must disable SB validation in shim, for example to run dkms modules, may notice that the kernel incorrectly reports the SecureBoot/shim states.
[Test case]
1) Install bbswitch-dkms
a) Validate whether you are prompted to disable Secure Boot. If Secure Boot is already disabled, you should not be prompted again. If it isn't, you should be prompted once.
b) If shim validation was previously disabled, verify that the kernel reports /proc/sys/kernel/moksbstate_disabled as "1" (shim validation disabled)
[Regression Potential]
This affects the loading behavior for the kernel, which will now load as an EFI binary and thus execute some extra code to bring up UEFI, which would otherwise not get loaded in the case shim validation is disabled. Given that the system must have booted successfully once for validation to get disabled, there should not be any issues; but possible resulting regressions would be a failure to correctly load the kernel, or a kernel issue early on during boot. Furthermore, any instance where the incorrect loading behavior was relied upon by installs (though I can think of no examples for this) would regress. The kind of issue that might be seen there is where code relies on /proc/sys/kernel/moksbstate_disabled or /proc/sys/kernel/secure_boot, or on other aspects of the kernel's secure boot policy (there seems to exist at least one special case for SB in kernel bluetooth code), the programs that rely on such behavior would regress. There are no packages shipped in Ubuntu that rely on this incorrect behavior; the only known package to ship something that checks the relevant /proc files is shim-signed, and this is meant to correct the behavior when these values are set.
---
GRUB currently fails SecureBoot validation (ie. calls to grub_linuxefi_secure_validate() fail) if shim's protocol is not installed when that function is called.
This currently breaks some kernel features relying on starting in the EFI stub code (ie. the kernel being loaded as an EFI binary); and instead falls back to the 'linux' command instead of 'linuxefi'. |
|
| 2017-06-21 03:31:53 |
Chris Halse Rogers |
grub2 (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2017-06-21 03:31:57 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2017-06-21 03:32:02 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
| 2017-06-21 03:32:07 |
Chris Halse Rogers |
tags |
|
verification-needed |
|
| 2017-06-21 03:50:01 |
Chris Halse Rogers |
grub2 (Ubuntu Yakkety): status |
New |
Fix Committed |
|
| 2017-06-21 03:54:40 |
Chris Halse Rogers |
grub2 (Ubuntu Zesty): status |
New |
Fix Committed |
|
| 2017-07-20 19:56:34 |
Mathieu Trudel-Lapierre |
tags |
verification-needed |
verification-done-xenial verification-needed |
|
| 2017-07-21 19:36:22 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Brian Murray |
| 2017-07-21 19:36:25 |
Ubuntu Foundations Team Bug Bot |
tags |
verification-done-xenial verification-needed |
verification-done-xenial verification-failed verification-needed |
|
| 2017-07-25 01:17:53 |
Mathieu Trudel-Lapierre |
tags |
verification-done-xenial verification-failed verification-needed |
verification-done-xenial verification-done-zesty |
|
| 2017-07-28 00:48:12 |
Launchpad Janitor |
grub2 (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
| 2017-07-28 00:48:20 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2017-07-28 00:57:21 |
Steve Langasek |
grub2 (Ubuntu Yakkety): status |
Fix Committed |
Won't Fix |
|
| 2017-07-28 23:06:58 |
Launchpad Janitor |
grub2 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
