Ubuntu
shim package

ubuntu must support upgrading images with grub in removable path

Bug #1923635 reported by Dimitri John Ledkov
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
New
Undecided
Unassigned
shim (Ubuntu)
New
Undecided
Unassigned
shim-signed (Ubuntu)
New
Undecided
Unassigned

Bug Description

ubuntu must support upgrading images with grub in removable path

Currently whilst we install shim into removable path, we never upgrade grubx64.efi in the removable path.

This leads to inconsistent behavior, where upgraded shim will boot grubx64.efi from /boot/grubx64.efi which might lack sbat sections and thus will not boot.

Either we need to support upgrade grubx64.efi in /boot/*.efi, or remove it whenever we install new shim into /boot/bootx64.efi.

Dimitri John Ledkov (xnox)
information type: Public → Public Security
Revision history for this message
Steve Langasek (vorlon) wrote :

Why is this a "must"? After the recent changes to the cloud images, the only places where we are installing grub to the removable path are the install images, and grub doesn't get upgraded on those.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

When upgrading shim-signed, it will install new shim in /boot/bootx64.efi and in /ubuntu/shimx64.efi, it will also install grub with sbat section to /ubuntu/grubx64.efi.

If the machine was booting /boot/grubx64.efi before, it will fail, as /boot/grubx64.efi will remain an old one without sbat section.

I am concerned about cloud images that were launched earlier than like march 2020 and are applying upgrades, resulting in failure to boot.

I shall test this out, cause hopefully/maybe if boot/grubx64.efi fails to verify, fallback is activated.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.