2017-06-07 23:20:20 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Zesty |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Zesty) |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Trusty |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Trusty) |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Artful |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Artful) |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Xenial |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Xenial) |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Yakkety |
|
2017-06-07 23:20:46 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu Yakkety) |
|
2017-06-07 23:20:55 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu Artful): status |
New |
Fix Released |
|
2017-06-07 23:21:04 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2-signed (Ubuntu) |
|
2017-06-07 23:21:34 |
Mathieu Trudel-Lapierre |
grub2-signed (Ubuntu Artful): status |
New |
Fix Released |
|
2017-06-21 02:28:49 |
Mathieu Trudel-Lapierre |
description |
[Impact]
Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb. This is a complex set of enablement patches across a number of packages. Most of them will be fairly straightforward backports, but there are a few known warts:
* The included patches are based on grub2 2.02~beta3; as such, some patches require extra backporting effort of other pieces of the loader code down to releases that do not yet include 2.02~beta3 code.
[Test Case]
The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).
Tests should include:
- booting with Secure Boot enabled
- booting with Secure Boot enabled, but shim validation disabled
- booting with Secure Boot disabled, but still in EFI mode
[Regression Potential]
Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both. |
[Impact]
Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb.
This SRU is handled as a wholesale "sync" with a known set of patches rather than individual cherry-picks given the high risk in cherry-picking individual changes; we do not want to risk subtly breaking Secure Boot support or introducing a security issue due to using different sets of patches across our currently supported releases. Using a common set of patches across releases and making sure we're in sync with "upstream" for that particular section of the grub2 codebase (specifically, UEFI/SB support is typically outside the GNU GRUB tree) allows us to make sure UEFI Secure Boot remains supportable and that potential security issues are easy to fix quickly given the complexity of the codebase.
This is a complex set of enablement patches; most of them will be fairly straightforward backports, but there are a few known warts:
* The included patches are based on grub2 2.02~beta3; as such, some patches require extra backporting effort of other pieces of the loader code down to releases that do not yet include 2.02~beta3 code.
[Test Case]
The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).
Tests should include:
- booting with Secure Boot enabled
- booting with Secure Boot enabled, but shim validation disabled
- booting with Secure Boot disabled, but still in EFI mode
[Regression Potential]
Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both. |
|
2017-06-21 03:32:15 |
Chris Halse Rogers |
grub2 (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-06-21 03:32:22 |
Chris Halse Rogers |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-06-21 03:32:27 |
Chris Halse Rogers |
bug |
|
|
added subscriber SRU Verification |
2017-06-21 03:32:32 |
Chris Halse Rogers |
tags |
|
verification-needed |
|
2017-06-21 03:50:18 |
Chris Halse Rogers |
grub2 (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-06-21 03:54:56 |
Chris Halse Rogers |
grub2 (Ubuntu Zesty): status |
New |
Fix Committed |
|
2017-06-21 03:57:32 |
Chris Halse Rogers |
grub2-signed (Ubuntu Zesty): status |
New |
Fix Committed |
|
2017-06-21 03:59:22 |
Chris Halse Rogers |
grub2-signed (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-06-21 04:06:00 |
Chris Halse Rogers |
grub2-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-06-22 19:37:16 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Brian Murray |
2017-06-22 19:37:19 |
Ubuntu Foundations Team Bug Bot |
tags |
verification-needed |
verification-failed verification-needed |
|
2017-07-20 20:10:25 |
Mathieu Trudel-Lapierre |
tags |
verification-failed verification-needed |
verification-needed |
|
2017-07-20 20:11:10 |
Mathieu Trudel-Lapierre |
tags |
verification-needed |
verification-needed verification-needed-xenial verification-needed-zesty |
|
2017-07-24 19:45:21 |
Mathieu Trudel-Lapierre |
tags |
verification-needed verification-needed-xenial verification-needed-zesty |
verification-done-zesty verification-needed verification-needed-xenial |
|
2017-07-28 00:39:48 |
Steve Langasek |
grub2-signed (Ubuntu Yakkety): status |
Fix Committed |
Won't Fix |
|
2017-07-28 00:40:00 |
Steve Langasek |
grub2 (Ubuntu Yakkety): status |
Fix Committed |
Won't Fix |
|
2017-07-28 00:48:12 |
Launchpad Janitor |
grub2 (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-07-28 00:48:23 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-28 00:48:27 |
Launchpad Janitor |
grub2-signed (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-07-28 19:00:40 |
Mathieu Trudel-Lapierre |
tags |
verification-done-zesty verification-needed verification-needed-xenial |
verification-done-xenial verification-done-zesty |
|
2017-07-28 23:06:58 |
Launchpad Janitor |
grub2 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-07-28 23:07:05 |
Launchpad Janitor |
grub2-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-09-29 07:54:49 |
Chen-Han Hsiao (Stanley) |
bug |
|
|
added subscriber Chen-Han Hsiao (Stanley) |
2018-08-15 00:43:32 |
Steve Langasek |
grub2 (Ubuntu Trusty): status |
New |
Won't Fix |
|
2018-08-15 00:43:42 |
Steve Langasek |
grub2-signed (Ubuntu Trusty): status |
New |
Won't Fix |
|
2019-01-09 14:08:44 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu Trusty): status |
Won't Fix |
In Progress |
|
2019-01-09 14:09:01 |
Mathieu Trudel-Lapierre |
grub2-signed (Ubuntu Trusty): status |
Won't Fix |
In Progress |
|
2019-01-15 23:01:30 |
Brian Murray |
grub2 (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2019-01-15 23:01:35 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-01-15 23:01:42 |
Brian Murray |
tags |
verification-done-xenial verification-done-zesty |
verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
|
2019-01-15 23:05:21 |
Brian Murray |
grub2-signed (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2019-01-25 19:33:56 |
Mathieu Trudel-Lapierre |
tags |
verification-done-xenial verification-done-zesty verification-needed verification-needed-trusty |
verification-done-trusty verification-done-xenial verification-done-zesty |
|
2019-02-04 12:08:15 |
Launchpad Janitor |
grub2 (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2019-02-04 12:08:28 |
Launchpad Janitor |
grub2-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|