ubuntu must support upgrading images with grub in removable path

Bug #1923635 reported by Dimitri John Ledkov

This bug report will be marked for expiration in 44 days if no further activity occurs. (find out why)

256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Incomplete
Undecided
Unassigned
shim (Ubuntu)
Incomplete
Undecided
Unassigned
shim-signed (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

ubuntu must support upgrading images with grub in removable path

Currently whilst we install shim into removable path, we never upgrade grubx64.efi in the removable path.

This leads to inconsistent behavior, where upgraded shim will boot grubx64.efi from /boot/grubx64.efi which might lack sbat sections and thus will not boot.

Either we need to support upgrade grubx64.efi in /boot/*.efi, or remove it whenever we install new shim into /boot/bootx64.efi.

information type: Public → Public Security
Revision history for this message
Steve Langasek (vorlon) wrote :

Why is this a "must"? After the recent changes to the cloud images, the only places where we are installing grub to the removable path are the install images, and grub doesn't get upgraded on those.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

When upgrading shim-signed, it will install new shim in /boot/bootx64.efi and in /ubuntu/shimx64.efi, it will also install grub with sbat section to /ubuntu/grubx64.efi.

If the machine was booting /boot/grubx64.efi before, it will fail, as /boot/grubx64.efi will remain an old one without sbat section.

I am concerned about cloud images that were launched earlier than like march 2020 and are applying upgrades, resulting in failure to boot.

I shall test this out, cause hopefully/maybe if boot/grubx64.efi fails to verify, fallback is activated.

Revision history for this message
Mate Kukri (mkukri) wrote :

Years have passed and there does not seem to be many reports of breakage caused by this.

Should we consider this to still be a problem, or can this be closed?

Changed in grub2 (Ubuntu):
status: New → Incomplete
Changed in shim (Ubuntu):
status: New → Incomplete
Changed in shim-signed (Ubuntu):
status: New → Incomplete
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.