Call for testing: grub2 security updates

On my local bare metal groovy install I tested upgrading to the new grub binaries from groovy-proposed and after a reboot my machine successfully booted - I have tried to generalise the instructions for doing this so they can be used on any release:

# enable use of -proposed as per https://wiki.ubuntu.com/Testing/EnableProposed
cat <<EOF | sudo tee /etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# only selectively upgrade from -proposed
cat <<EOF | sudo tee /etc/apt/preferences.d/proposed-updates
# Configure apt to allow selective installs of packages from proposed
Package: *
Pin: release a=$(lsb_release -cs)-proposed
Pin-Priority: 400
EOF

# get list of packages in -proposed
sudo apt update

# update standard grub2 packages from -proposed
sudo apt install \
     grub-efi-amd64-bin/"$(lsb_release -cs)"-proposed \
     grub-efi-amd64-signed/"$(lsb_release -cs)"-proposed \
     grub2-common/"$(lsb_release -cs)"-proposed \
     grub-pc/"$(lsb_release -cs)"-proposed \
     grub-pc-bin/"$(lsb_release -cs)"-proposed \
     grub-common/"$(lsb_release -cs)"-proposed

sudo reboot

Status changed to 'Confirmed' because the bug affects multiple users.

I have successfully tested these grub2 updates on groovy, focal, bionic, and xenial bare metal machines with efi + secure boot, as well as a bionic efi system with secure boot disabled. All worked and things like grub menus continued to work.

On trusty/esm with the grub packages from esm-infra-security-staging installed, the grub menu no longer displays on boot, but keypresses are registered by the menu system and the system will continue to boot if the grub timeout is allowed to occur. See bug 1917529.

Thanks.

On a focal system all up-to-date, I installed these updates (and only these) from focal-proposed, and everything seems fine. System is booting as normal.

grub-common/focal-proposed 2.04-1ubuntu26.11 amd64 [upgradable from: 2.04-1ubuntu26.9]
grub-efi-amd64-bin/focal-proposed 2.04-1ubuntu42 amd64 [upgradable from: 2.04-1ubuntu26.9]
grub-efi-amd64-signed/focal-proposed 1.164+2.04-1ubuntu42 amd64 [upgradable from: 1.142.11+2.04-1ubuntu26.9]
grub-efi-amd64/focal-proposed 2.04-1ubuntu42 amd64 [upgradable from: 2.04-1ubuntu26.9]
grub2-common/focal-proposed 2.04-1ubuntu26.11 amd64 [upgradable from: 2.04-1ubuntu26.9]

The grub2 in xenial-proposed seems to break at least on arm64 on the autopkgtest environment:

https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/arm64/l/linux-hwe/20210309_043356_9f6d6@/log.gz

--
[...]
Setting up grub-common (2.02~beta2-36ubuntu3.31) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Setting up grub-efi-arm64-bin (2.04-1ubuntu42) ...
Setting up grub2-common (2.02~beta2-36ubuntu3.31) ...
Setting up grub-efi-arm64 (2.04-1ubuntu42) ...
Installing for arm64-efi platform.
grub-install: error: relocation 0x113 is not implemented yet.
Failed: grub-install --target=arm64-efi
WARNING: Bootloader is not properly installed, system may not be bootable
Generating grub configuration file ...
Warning: Setting GRUB_TIMEOUT to a non-zero value when GRUB_HIDDEN_TIMEOUT is set is no longer supported.
Found linux image: /boot/vmlinuz-4.4.0-204-generic
Found initrd image: /boot/initrd.img-4.4.0-204-generic
Found linux image: /boot/vmlinuz-4.4.0-203-generic
Found initrd image: /boot/initrd.img-4.4.0-203-generic
Adding boot menu entry for EFI firmware configuration
done
Setting up grub-efi-arm64-signed (1.164+2.04-1ubuntu42) ...
Installing for arm64-efi platform.
grub-install: error: relocation 0x113 is not implemented yet.
dpkg: error processing package grub-efi-arm64-signed (--configure):
 subprocess installed post-installation script returned error exit status 1

@kleber that is known, and being worked on.

It seems that one has upgraded grub2-signed without upgrading grub2. We are adding more strict dependencies to mitigate that.

@kleber this has been fixed in xenial & bionic now. Retriggering tests against grub2-signed alone, should all work now.

I've marked the SRU bug reports as verification-done, there was positive test feedback from Certification too. We are in a position to start release the one-grub updates to at least some series in stages.

These have all been published to the security pockets for bionic and newer, closing out this bug.b