Ubuntu
grub2.04-signed package

Provide grub 2.04 EFI backport on bionic

Bug #1912264 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2.04-signed (Ubuntu)
Fix Released
Wishlist
Unassigned
Bionic
In Progress
Wishlist
Unassigned
Focal
Won't Fix
Wishlist
Unassigned

Bug Description

[Impact]

 * Provide grub 2.04 backport to bionic for improved TPM support.

[Test Case]

 * Boot to bionic EFI amd64 or arm64

 * If /boot/efi/EFI/ubuntu does not exist, execute

 on amd64 $ sudo grub-install --target x86_64-efi --uefi-secure-boot
 on arm64 $ sudo grub-install --target arm64-efi --uefi-secure-boot

and reboot

 * Install grub2.04-signed on bionic amd64 or arm64

 * Reboot, check that echo ${package_version} shows 2.04

 * Upgrade to focal

 * Observer that upgrade is correct and grub2.04-signed is now a dummy transitional package

[Where problems could occur]

 * One must be able to remove grub2.04-signed & downgrade back to grub 2.02 based -bin and -signed packages. And binaries in /boot must be updated.

 * One must be able to mix&match userspace grub packages tooling from release/security/updates/proposed, whilst keeping grub2.04-signed installed.

 * One must be upgraded to stock grub2.04 -bin / -signed packages upon dist-upgrade to focal.

[Other Info]

 * Targetted to be installed by default on some cloud images.

Test packages available from this bileto PPA https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/4413/+packages

NEW queue:
https://launchpad.net/ubuntu/focal/+queue?queue_state=0&queue_text=grub2.04-signed

https://launchpad.net/ubuntu/bionic/+queue?queue_state=0&queue_text=grub2.04-signed

See original description
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Testing the demo package

1) downgrades fail

2) grub-install is not run upon a downgrade

3) upgrades to be tested.

Dimitri John Ledkov (xnox)
Changed in grub2 (Ubuntu):
status: New → Fix Released
description: updated
Dimitri John Ledkov (xnox)
description: updated
Dimitri John Ledkov (xnox)
description: updated
description: updated
Dimitri John Ledkov (xnox)
Changed in grub2 (Ubuntu Bionic):
status: New → In Progress
Changed in grub2 (Ubuntu Focal):
status: New → In Progress
description: updated
Dimitri John Ledkov (xnox)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted grub2.04-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2.04-signed/1.143 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-focal
affects: grub2 (Ubuntu) → grub2.04-signed (Ubuntu)
Changed in grub2.04-signed (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

why does the grub2.04 source ship a separate postinst that differs in content from the one in grub-efi-amd64-signed in focal? I am concerned about the implications for this being out of sync and possibly missing future bugfixes from focal SRUs.

Changed in grub2.04-signed (Ubuntu Bionic):
status: In Progress → Incomplete
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

grub2.04-signed in bionic must be compatible with grub-common as shipped in bionic.

grub2-signed 1.142.10 in focal calls /usr/share/grub/grub-check-signatures & /usr/lib/grub/grub-multi-install scripts, which are shipped by grub-common in focal, and not available in bionic.

thus grub2.04-signed in bionic cannot use the same postinst as grub2-signed in focal.

the origin of the grub2.04-signed is closer to shim-signed bionic postinst, specifically the sanity checks and calling grub-install, for both arm64 & amd64. But not doing any calls to update-secureboot-policy.

ps Looking closer at grub2-signed 1.142.10 in focal, it only provides a postinst for amd64 and doesn't provide one for arm64 which is an oversight.

Changed in grub2.04-signed (Ubuntu Bionic):
status: Incomplete → In Progress
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I somewhat want to call this a failed attempt.

Does not future-proof against any number of rebuilds.

Does not provide support for -dbg modules.

tags: added: verification-failed verification-failed-focal
removed: verification-needed verification-needed-focal
Mathew Hodson (mhodson)
Changed in grub2.04-signed (Ubuntu):
importance: Undecided → Wishlist
Changed in grub2.04-signed (Ubuntu Bionic):
importance: Undecided → Wishlist
Changed in grub2.04-signed (Ubuntu Focal):
importance: Undecided → Wishlist
tags: added: upgrade-software-version
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package removed from archive

The version of grub2.04-signed in the proposed pocket of Focal that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in grub2.04-signed (Ubuntu Focal):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.