Hi Julian,

On 21/08/2024 12:16, Julian Andres Klode wrote:
Source: grub2
Version: 2.12-5ubuntu4
Severity: wishlist
X-Debbugs-Cc: j...@debian.org, debian-rele...@lists.debian.org

(RT: This discusses the strategy to reduce regression risk for
stable releases when we need to move towards new grub versions
for security support)

This is mostly for discussion but as you are well aware, maintaining
security support for grub can be challenging, the last big update, we
instead backported the new grub to old releases.

Issue statements:

1. Backporting the entire grub generates undue regression potential for
platforms that don't have a secure boot workflow, such as BIOS systems.
In Ubuntu, the signed EFI targets were split out into a grub2-unsigned
package specifically to avoid having to update BIOS and other targets
for security updates.

2. This isn't enough though, we know 2.12 is causing more regressions
and we might be able to support 2.06, so we'd want new systems to
install 2.12, but existing systems to stay on 2.06 even for signed
targets.

3. On the flip side, some other targets that are not signed might need
fixes for new hardware too, and you might want to install e.g.
grub2.14's BIOS target because grub2.12 doesn't work reliably.

It is a bit hard to solve this now for 2.12, and 2.14 may come soon,
hence let me propose the following implementation for 2.14 and how
backports of 2.16/2.18 to trixie can then work:

We split src:grub2 into src:grub-defaults and src:grub2.14. The
src:grub-defaults builds the meta packages, and src:grub2.14 builds
the target binaries, e.g.

     src:grub-defaults builds

         grub-common
         grub-efi-amd64
         grub-efi-amd64-signed
         grub-efi-amd64-unsigned
         grub-pc
         and so on

     src:grub2.14 builds

         grub2.14-common
         grub2.14-efi-amd64-bin
         grub2.14-efi-amd64-unsigned
         grub2.14-efi-amd64-signed (via signing template)
         grub2.14-pc-bin
         and so on

The meta package structure looks like this:


     Package: grub-efi-amd64
     Depends: grub-efi-amd64-signed | grub-efi-amd64-unsigned
     Protected: yes

     Package: grub-efi-amd64-signed
     Depends: grub2.14-efi-amd64-signed
     Protected: yes

     Package: grub-efi-amd64-unsigned
     Depends: grub2.14-efi-amd64-unsigned
     Protected: yes

     Package: grub-pc
     Depends: grub2.14-pc-bin
     Protected: yes

All the targets are Protected: yes to protect them from being removed,
and the signed and unsigned package are too to protect that choice.

Now grub 2.16 comes along, and we end security support for 2.14, the
patches are too hard to backport:

     Package: grub-efi-amd64
     Depends: grub-efi-amd64-signed | grub-efi-amd64-unsigned
     Protected: yes

     Package: grub-efi-amd64-signed
     Depends: grub2.16-efi-amd64-signed
     Protected: yes
     ^ everyone with signed binary needs to upgrade

     Package: grub-efi-amd64-unsigned
     Depends: grub2.16-efi-amd64-unsigned | grub2.14-efi-amd64-unsigned
     Protected: yes
     ^ new installs get 2.16, old installs remain on 2.14

     Package: grub-pc
     Depends: grub2.16-pc-bin | grub2.14-pc-bin
     Protected: yes
     ^ new installs get 2.16, old installs remain on 2.14

Now grub 2.18 comes along and has huge regression potential, but we can
still security support 2.16, so we do it different:

     Package: grub-efi-amd64-signed
     Depends: grub2.18-efi-amd64-signed | grub2.16-efi-amd64-signed
     Protected: yes
     ^ new installs get 2.18, existing systems can stay on 2.16 for now

     Package: grub-efi-amd64-unsigned
     Depends: grub2.18-efi-amd64-unsigned | grub2.16-efi-amd64-unsigned | 
grub2.14-efi-amd64-unsigned
     Protected: yes
     ^ new installs get 2.18, existing systems can stay on 2.16 or 2.14

     Package: grub-pc
     Depends: grub2.18-pc-bin | grub2.16-pc-bin | grub2.14-pc-bin
     Protected: yes
     ^ new installs get 2.18, existing systems can stay on 2.16 or 2.14

I carefully constructed this so that we can move the ownership of
running grub-install to the grub-efi-amd64 package and use triggers
for any of the other packages.

This sounds like a reasonable approach to me.

Cheers,
Emilio

Reply via email to