* Fix backport mistake that caused grub.cfg not to be created in $efidir
if UEFI Secure Boot is enabled.
* When installing to removable media with UEFI Secure Boot, install
gcdx64.efi.signed rather than grubx64.efi.signed.
* Make gcdx64.efi.signed fall back to sourcing $prefix/grub.cfg if
$prefix/x86_64-efi/grub.cfg is missing, as is likely when using
'grub-install --removable'.
* Backport several changes to support Secure Boot patches.
* Add Secure Boot patches from Ubuntu 12.10 and Fedora (LP: #1075181):
- Don't permit loading modules on UEFI secure boot.
- Add efifwsetup module to reboot into firmware setup menu.
- Add "linuxefi" loader which avoids ExitBootServices.
- Only build linuxefi on amd64.
- Make linuxefi refuse to boot without shim.
- Make the linux module call linuxefi when necessary, simplifying
configuration.
- If secure boot is enabled and the kernel is signed, linux will call
linuxefi to hand over to it without calling ExitBootServices.
- Otherwise, linux will fall through to previous code, call
ExitBootServices itself, and boot the kernel normally.
- Change linuxefi to return GRUB_ERR_ACCESS_DENIED rather than
GRUB_ERR_INVALID_COMMAND in the case of an invalid signature, to make
it easier to implement different handling of unsigned kernels in
future if necessary.
- Generate configuration for signed UEFI kernels if available.
- Install signed images if UEFI Secure Boot is enabled.
- Output a menu entry for firmware setup on UEFI FastBoot systems.
- Add some extra debugging to signed/unsigned kernel logic.
- On amd64, build two images for signing: one with prefix /EFI/BOOT for
use on removable media, and one with prefix /EFI/ubuntu (and with the
lvm, mdraid09, and mdraid1x modules added) for use on fixed disks.
-- Colin Watson <email address hidden> Mon, 10 Dec 2012 11:31:09 +0000
This bug was fixed in the package grub2 - 1.99-21ubuntu3.7
---------------
grub2 (1.99-21ubuntu3.7) precise-proposed; urgency=low
* Fix backport mistake that caused grub.cfg not to be created in $efidir efi.signed rather than grubx64.efi.signed. x86_64- efi/grub. cfg is missing, as is likely when using
if UEFI Secure Boot is enabled.
* When installing to removable media with UEFI Secure Boot, install
gcdx64.
* Make gcdx64.efi.signed fall back to sourcing $prefix/grub.cfg if
$prefix/
'grub-install --removable'.
grub2 (1.99-21ubuntu3.6) precise-proposed; urgency=low
* Fix backport mistake in patch to install signed images if UEFI Secure
Boot is enabled.
grub2 (1.99-21ubuntu3.5) precise-proposed; urgency=low
* Backport several changes to support Secure Boot patches. tion. ervices itself, and boot the kernel normally. ACCESS_ DENIED rather than ERR_INVALID_ COMMAND in the case of an invalid signature, to make
* Add Secure Boot patches from Ubuntu 12.10 and Fedora (LP: #1075181):
- Don't permit loading modules on UEFI secure boot.
- Add efifwsetup module to reboot into firmware setup menu.
- Add "linuxefi" loader which avoids ExitBootServices.
- Only build linuxefi on amd64.
- Make linuxefi refuse to boot without shim.
- Make the linux module call linuxefi when necessary, simplifying
configura
- If secure boot is enabled and the kernel is signed, linux will call
linuxefi to hand over to it without calling ExitBootServices.
- Otherwise, linux will fall through to previous code, call
ExitBootS
- Change linuxefi to return GRUB_ERR_
GRUB_
it easier to implement different handling of unsigned kernels in
future if necessary.
- Generate configuration for signed UEFI kernels if available.
- Install signed images if UEFI Secure Boot is enabled.
- Output a menu entry for firmware setup on UEFI FastBoot systems.
- Add some extra debugging to signed/unsigned kernel logic.
- On amd64, build two images for signing: one with prefix /EFI/BOOT for
use on removable media, and one with prefix /EFI/ubuntu (and with the
lvm, mdraid09, and mdraid1x modules added) for use on fixed disks.
-- Colin Watson <email address hidden> Mon, 10 Dec 2012 11:31:09 +0000