[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2 - 2.02~beta2-9ubuntu1.16

---
grub2 (2.02~beta2-9ubuntu1.16) trusty; urgency=medium

  [ Ivan Hu ]
  * debian/patches/0001-i386-linux-Add-support-for-ext_lfb_base.patch:
Add support for ext_lfb_base. (LP: #1785033)

  [ dann frazier ]
  * Add grub2/update_nvram template to allow users to disable NVRAM
updates during package upgrades (LP: #1642298).

  [ Mathieu Trudel-Lapierre ]
  * debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
SB patch set: (LP: #1696599)
- linuxefi_backport_arm64.patch: backport basic arm64 chainload/linux
  command support from 17.04.
- linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
  chainloader.
- linuxefi_fix_validation_race.patch: Fix a race in validating images.
- linuxefi_chainloader_path.patch: honor the starting path for grub, so
  images do not need to be started from $root.
- linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
  when Secure Boot is enabled.
- linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
  loaders: don't load the commands when Secure Boot is enabled.
- linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
  initrd commands to automatically hand-off to linuxefi/initrdefi; re-
  enable the linux loader.
- linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
  "special" PE images, such as Windows'.
- linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
  disabled or shim validation is disabled so loading works as EFI binaries
  when it is supposed to.
- Removed linuxefi_require_shim.patch; superseded by the above.
- Removed linuxefi_amd64_only.patch; superseded by the above.
- Refreshed patches.
  * debian/rules: disable the use of -Werror while building grub; the EFI
patches have subtle cases which trip it up unnecessarily.
  * debian/patches/arm64-set-correct-length-of-device-path-end-entry.patch:
dropped; included in linuxefi_backport_arm64.patch.
  * debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
relocate_coff() causing issues with relocation of code in chainload.
(LP: #1792575)
  * debian/patches/linuxefi_truncate_overlong_relocs.patch: The Windows
7 bootloader has inconsistent headers; truncate to the smaller, correct
size to fix chainloading Windows 7. (LP: #1792575)

 -- Mathieu Trudel-Lapierre   Tue, 08 Jan 2019
12:36:49 -0500

** Changed in: grub2 (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** Changed in: grub2-signed (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2-signed - 1.34.18

---
grub2-signed (1.34.18) trusty; urgency=medium

  * Rebuild against grub-efi-amd64 2.02~beta2-9ubuntu1.16
(LP: #1785033) (LP: #1642298) (LP: #1696599) (LP: #1792575)

 -- Mathieu Trudel-Lapierre   Wed, 09 Jan 2019
09:11:55 -0500

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

Verification-done for trusty for grub2 and grub2-signed:

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name  Version   
   Architecture Description
+++-=---===
ii  grub-efi-amd642.02~beta2-9ubuntu1.16
   amd64GRand Unified Bootloader, version 2 (EFI-AMD64 
version)
ii  grub-efi-amd64-signed 1.34.18+2.02~beta2-9ubuntu1.16
   amd64GRand Unified Bootloader, version 2 (EFI-AMD64 
version, signed)


Chainloading works correctly now, and normal loading of a Linux kernel to boot 
to Ubuntu also works correctly. Loading an unsigned kernel is still allowed, 
but debug mode does show the expected verification behavior happening at boot.

** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Brian Murray]

Hello Mathieu, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.16 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: grub2 (Ubuntu Trusty)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-trusty

** Changed in: grub2-signed (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

** Changed in: grub2 (Ubuntu Trusty)
   Status: Won't Fix => In Progress

** Changed in: grub2-signed (Ubuntu Trusty)
   Status: Won't Fix => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

I think we'll need to backport the UEFI Secure Boot patches to trusty
after all -- there's a large number of changes in them, but it seems
better than attempting to adapt other patches (such as Windws 7/10
chainloading fixes with new shim, and memory truncation fixes). Having
the patchset at the same level will make it easier to support Secure
Boot on trusty. At least with the same patches we can quickly issue
security fixes if there are any issues, as the code will be roughly the
same as for other releases.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Steve Langasek]

Superseded by LP: #1708245 for trusty.

** Changed in: grub2 (Ubuntu Trusty)
   Status: New => Won't Fix

** Changed in: grub2-signed (Ubuntu Trusty)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.12

---
grub2 (2.02~beta2-36ubuntu3.12) xenial; urgency=medium

  * debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
SB patch set: (LP: #1696599)
- linuxefi_backport_arm64.patch: backport basic arm64 chainload/linux
  command support from 17.04.
- linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
  chainloader.
- linuxefi_fix_validation_race.patch: Fix a race in validating images.
- linuxefi_chainloader_path.patch: honor the starting path for grub, so
  images do not need to be started from $root.
- linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
  when Secure Boot is enabled.
- linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
  loaders: don't load the commands when Secure Boot is enabled.
- linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
  initrd commands to automatically hand-off to linuxefi/initrdefi; re-
  enable the linux loader.
- linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
  "special" PE images, such as Windows'.
- linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
  disabled or shim validation is disabled so loading works as EFI binaries
  when it is supposed to.
- Removed linuxefi_require_shim.patch; superseded by the above.
  (LP: #1689687)
  * debian/patches/git_tsc_use_alt_delay_sources_d43a5ee6.patch: refreshed.
  * debian/patches/arm64-set-correct-length-of-device-path-end-entry.patch:
dropped; included in linuxefi_backport_arm64.patch.

 -- Mathieu Trudel-Lapierre   Thu, 08 Jun 2017
10:16:17 -0700

** Changed in: grub2 (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2-signed - 1.66.12

---
grub2-signed (1.66.12) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.12. (LP: #1696599)

 -- Mathieu Trudel-Lapierre   Wed, 14 Jun 2017
14:39:30 -0400

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

Finally got to verifying this for chainloading as well, on both xenial
and zesty -- marking xenial as verification-done now.

** Tags removed: verification-needed verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu2.2

---
grub2 (2.02~beta3-4ubuntu2.2) zesty; urgency=medium

  * debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
SB patch set: (LP: #1696599)
- linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
  chainloader.
- linuxefi_fix_validation_race.patch: Fix a race in validating images.
- linuxefi_chainloader_path.patch: honor the starting path for grub, so
  images do not need to be started from $root.
- linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
  when Secure Boot is enabled.
- linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
  loaders: don't load the commands when Secure Boot is enabled.
- linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
  initrd commands to automatically hand-off to linuxefi/initrdefi; re-
  enable the linux loader.
- linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
  "special" PE images, such as Windows'.
- linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
  disabled or shim validation is disabled so loading works as EFI binaries
  when it is supposed to.
- Removed linuxefi_require_shim.patch; superseded by the above.
  (LP: #1689687)

 -- Mathieu Trudel-Lapierre   Wed, 14 Jun 2017
14:44:48 -0400

** Changed in: grub2 (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Launchpad Bug Tracker]

This bug was fixed in the package grub2-signed - 1.80.2

---
grub2-signed (1.80.2) zesty; urgency=medium

  * Rebuild against grub2 2.02~beta3-4ubuntu2.2. (LP: #1696599)

 -- Mathieu Trudel-Lapierre   Wed, 14 Jun 2017
14:46:59 -0400

** Changed in: grub2-signed (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Steve Langasek]

** Changed in: grub2-signed (Ubuntu Yakkety)
   Status: Fix Committed => Won't Fix

** Changed in: grub2 (Ubuntu Yakkety)
   Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

Verification-done for zesty with grub2 2.02~beta3-4ubuntu2.2 and
grub2-signed 1.80.2:

Booting in insecure mode, with Secure Boot enabled and with SB disabled
(but UEFI enabled) have been tested and all work as expected.

** Tags removed: verification-needed-zesty
** Tags added: verification-done-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

** Tags removed: verification-failed

** Tags added: verification-needed-xenial verification-needed-zesty

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

Verification-done for xenial with grub2 2.02~beta2-36ubuntu3.12 and
grub2-signed 1.66.12:

Booting behaves correctly with Secure Boot enabled or disabled; and when
Secure Boot is enabled but shim validation is disabled. Booting in the
chainload case could not be tested (I do not have a Windows key to test
with, will attempt to resolve this situation).

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Chris Halse Rogers]

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/grub2-signed/1.66.12 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Chris Halse Rogers]

Hello Mathieu, or anyone else affected,

Accepted grub2 into yakkety-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu11.4 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: grub2 (Ubuntu Yakkety)
   Status: New => Fix Committed

** Changed in: grub2 (Ubuntu Zesty)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Chris Halse Rogers]

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.12 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: grub2 (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

I've updated the description to make the rationale clearer. This is a
general backport of the patchset coming from "upstream" (in this case,
being the "UEFI community" instead of GNU GRUB, and personified in this
git tree from fedora), which include changes such as:

 - general cleanup and fixes (memory usage, etc.)
 - load arm with SB enabled
 - fixing a race in EFI validation (verifying Secure Boot signature for a 
kernel)
 - allow chainloading including the device part of the EFI boot path 
(chainloading across drives, for example)
 - honour Secure Boot in the chainloader (verify via Shim, not just EFI Boot 
Services)
 - avoid loading modules not permissible in Secure Boot
 - fixes for PE section alignment (mostly related to chainloading the Windows 
bootloader)
 - properly handle Secure Boot state when loading images (behaving correctly 
when Secure Boot validation in shim is disabled; correctly interpreting the 
result of shim's Secure Boot validation failing in the cases where SB is 
disabled in firmware vs. when it is disabled in shim or when not booting 
through shim)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

** Description changed:

  [Impact]
- Since the implementation of UEFI Secure Boot in Ubuntu, there has been a 
large number of changes to the EFI patchset, handled "upstream" at 
https://github.com/vathpela/grub2-fedora/tree/sb. This is a complex set of 
enablement patches across a number of packages. Most of them will be fairly 
straightforward backports, but there are a few known warts:
+ Since the implementation of UEFI Secure Boot in Ubuntu, there has been a 
large number of changes to the EFI patchset, handled "upstream" at 
https://github.com/vathpela/grub2-fedora/tree/sb.
  
-  * The included patches are based on grub2 2.02~beta3; as such, some
+ This SRU is handled as a wholesale "sync" with a known set of patches
+ rather than individual cherry-picks given the high risk in cherry-
+ picking individual changes; we do not want to risk subtly breaking
+ Secure Boot support or introducing a security issue due to using
+ different sets of patches across our currently supported releases. Using
+ a common set of patches across releases and making sure we're in sync
+ with "upstream" for that particular section of the grub2 codebase
+ (specifically, UEFI/SB support is typically outside the GNU GRUB tree)
+ allows us to make sure UEFI Secure Boot remains supportable and that
+ potential security issues are easy to fix quickly given the complexity
+ of the codebase.
+ 
+ This is a complex set of enablement patches; most of them will be fairly
+ straightforward backports, but there are a few known warts:
+ 
+  * The included patches are based on grub2 2.02~beta3; as such, some
  patches require extra backporting effort of other pieces of the loader
  code down to releases that do not yet include 2.02~beta3 code.
  
  [Test Case]
  The desktop, server, and alternate install images should all boot and install 
on an SB-enabled system. I would recommend testing installations from both a CD 
and a USB stick. After each installation, validate that Secure Boot is enabled 
by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as 
/sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation 
may be disabled).
  
  Tests should include:
  - booting with Secure Boot enabled
  - booting with Secure Boot enabled, but shim validation disabled
  - booting with Secure Boot disabled, but still in EFI mode
  
  [Regression Potential]
  Check that non-SB installations of all these images still work. For this, it 
is sufficient to test with either a CD or a USB stick, but not necessarily both.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Chris Halse Rogers]

Just to be clear, what is the purpose of this backport? As you know,
“upstream has done more work” isn't usually justification for an SRU :)

Presumably this is expected to fix bugs and/or support new systems?
Could you give a brief run-down of what this fixes/newly supports?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

[Mathieu Trudel-Lapierre]

Updating status to clarify that this is already uploaded and included in
the artful release.

** Changed in: grub2-signed (Ubuntu Artful)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs