[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
This bug was fixed in the package shim-signed - 1.33.1~16.04.10 --- shim-signed (1.33.1~16.04.10) xenial; urgency=medium * Update to shim 15.4-0ubuntu7: - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379) - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383) - Fix accidental deletion of RT variables (LP: #1934506) (PR #387) - mok: relax the maximum variable size check (LP: #1934780) (PR #369) shim-signed (1.33.1~16.04.9) xenial; urgency=medium * Do not build a dual-signed shim (fixing regression from ~16.04.7), and disable verifying fbx64.efi and mmx64.efi certificates as xenial's sbverify is unable to (impish works fine) * Clean up debhelper log file accidentally imported into git during 16.04.7 import. shim-signed (1.33.1~16.04.8) xenial; urgency=medium * debian/*.postinst: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. * Update to shim 15.4-0ubuntu5: - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This is causing systems to run out of EFI storage space, or just hang up when trying to write it (LP: #1924605) (LP: #1928434) - Further relax the check for variable mirroring on non-secureboot systems avoiding boot failures on out of space conditons (pull request #372) - Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136) (pull request #378) shim-signed (1.33.1~16.04.7) xenial; urgency=medium * New upstream release 15.4. LP: #1921134 * Update packaging to pull fb and mm from shim-signed package as in later releases, dropping the runtime dependency on shim. * Add download-signed script from linux-signed package * Add a versioned dependency on the mokutil that introduces --timeout, and call mokutil --timeout -1 so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422. * Add versioned dependencies on grub-efi-amd64-signed and grub2-common, to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible grub-install present when we are installing new shim to the ESP. * Include reworked Makefile from devel to better assert the integrity of the executables. -- Julian Andres Klode Fri, 16 Jul 2021 13:04:57 +0200 ** Changed in: shim-signed (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
# GCE Verification ## Test Steps Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot Ran the following script: https://paste.ubuntu.com/p/K2DpvcbYNG/ Ensure system successfully reboots ## Xenial Results uEFI only: https://paste.ubuntu.com/p/nwcjCSVTRD/ uEFI+Secure Boot: https://paste.ubuntu.com/p/KZ8tS9zkKr/ Both systems reboot successfully! Marking verification done. ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Hello Steve, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done verification-done-xenial ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
# GCE Verification ## Test Steps Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot Ran the following script: https://paste.ubuntu.com/p/K2DpvcbYNG/ Ensure system successfully reboots ## Xenial Results uEFI only: https://paste.ubuntu.com/p/kqjn5YbYCb/ uEFI+Secure Boot: https://paste.ubuntu.com/p/xZ5t24P7nr/ Both systems reboot successfully! Marking verification done. ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Hello Steve, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Xenial) Status: New => Fix Committed ** Tags removed: verification-done verification-done-xenial ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
** Changed in: grub2-signed (Ubuntu) Status: Invalid => Fix Released ** Changed in: grub2-unsigned (Ubuntu) Status: Invalid => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
This bug was fixed in the package grub2-signed - 1.167~18.04.5 --- grub2-signed (1.167~18.04.5) bionic; urgency=medium * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748. grub2-signed (1.167~18.04.4) bionic; urgency=medium * Rebuild against grub2 2.04-1ubuntu44.1.1. LP: #1930742. -- Steve Langasek Mon, 07 Jun 2021 13:25:54 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2 --- grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for necessary arm relocation support. LP: #1926748. grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium * debian/postinst.in: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. -- Steve Langasek Mon, 07 Jun 2021 13:12:58 -0700 ** Changed in: grub2-unsigned (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: grub2-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
This bug was fixed in the package grub2-signed - 1.167~16.04.6 --- grub2-signed (1.167~16.04.6) xenial; urgency=medium * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748. grub2-signed (1.167~16.04.5) xenial; urgency=medium * Rebuild against grub2 2.04-1ubuntu44.1.1. * debian/*.postinst: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. -- Steve Langasek Mon, 07 Jun 2021 13:26:45 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2 --- grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for necessary arm relocation support. LP: #1926748. grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium * debian/postinst.in: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. -- Steve Langasek Mon, 07 Jun 2021 13:12:58 -0700 ** Changed in: grub2-unsigned (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: grub2-signed (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
After verifying that the "error" messages in #15 is ignorable, marking this verification done. ** Tags removed: verification-needed verification-needed-bionic verification-needed-xenial ** Tags added: verification-done verification-done-bionic verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
``` However, on the c6g.metal instance, while apt did not report an error, there were error messages printed out: Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin into dbx Error writing key update: Invalid argument Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin Setting up grub-efi-arm64-signed (1.167~18.04.5+2.04-1ubuntu44.1.2) ... ``` Yes this is mostly harmless. dbxupdates are attempted, but never fatal, and will be retried on every boot, until they work. or not. It is an indication that efivariable storage is not working, but also shouldn't matter on that instance type as it doesn't have UEFI secureboot. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Testing complete, if someone can explain the error messages in comment #15 we can mark this verification-done. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
# GCE Verification ## Test Steps Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot Ran the following script: https://paste.ubuntu.com/p/BDwhF4KHZ2/ Ensure system successfully reboots ## Xenial Results uEFI only: https://paste.ubuntu.com/p/vhxkYy5F43/ uEFI+Secure Boot: https://paste.ubuntu.com/p/hwr9Z4qdZB/ Both systems successfully rebooted. ## Bionic Results The bionic systems did not have these files so removing and touching them was not done: /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi uEFI only: https://paste.ubuntu.com/p/tMrs2jJrDc/ uEFI+Secure Boot: https://paste.ubuntu.com/p/xgwG6FVwCt/ Both systems successfully rebooted. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
# Bionic AWS Verification ## Test Steps Booted AWS arm64 baremetal and VM systems Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/ Ensure system successfully reboots ## Results t4g.medium: https://paste.ubuntu.com/p/QH8Xrr4Sck/ c6g.metal: https://paste.ubuntu.com/p/4q688QqC4v/ Both systems successfully updated grub from proposed and rebooted. However, on the c6g.metal instance, while apt did not report an error, there were error messages printed out: Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin into dbx Error writing key update: Invalid argument Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin Setting up grub-efi-arm64-signed (1.167~18.04.5+2.04-1ubuntu44.1.2) ... Can this error please either be fixed or explained in this bug before marking verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
# Xenial AWS Verification ## Test Steps Booted AWS arm64 baremetal and VM systems Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/ Ensure system successfully reboots ## Results Both systems successfully updated grub from proposed and rebooted t4g.medium: https://paste.ubuntu.com/p/ys4hgfTfRm/ c6g.metal: https://paste.ubuntu.com/p/2RFYbCmFxh/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
To be clear: This means the test case was wrong, as it was possible to construct systems where this worked before such as canonistack, but clearly there are also systems where the relocation becomes an issue at grub-install time. I personally never tested on AWS (I have credentials somewhere, I think, used some in 2018), only Canonistack, but I'm reasonably certain that dannf did see the same relocation issue in 44.1 as well. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
The relocation failure on install is not a regression vs 44.1 in -updates though, anyway. We should only fail on regressions, not make fixing additional issues requisites for verifying new issues. But oh well, Steve fixed it, but I'd like to make sure we actually test the same things and don't come up with new tests each time that then fail but are not actually regressions compared to -updates. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Launched c6g.metal, a1.metal, and t4g.medium instance with Xenial (20210429) on upgrade of all three I got the following error: grub-install: error: relocation 0x113 is not implemented yet. Failed: grub-install --target=arm64-efi WARNING: Bootloader is not properly installed, system may not be bootable Log: https://paste.ubuntu.com/p/khgMBYH86N/ Script: https://paste.ubuntu.com/p/cnTHCd8hGQ/ Marking verification verification-failed-xenial ** Tags removed: verification-needed-xenial ** Tags added: verification-failed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
grub2-unsigned binary copied from bionic-proposed to xenial-proposed. ** Changed in: grub2-unsigned (Ubuntu Xenial) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Hello Steve, or anyone else affected, Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~16.04.5 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2-signed (Ubuntu Xenial) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-xenial ** Changed in: grub2-signed (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Because grub-install in bionic and later also defaults to installing to the removable path, shim-signed in bionic does not need any update for this; the bionic SRUs of grub are only necessary because grub2-unsigned is shared between xenial and bionic. ** Changed in: shim-signed (Ubuntu Bionic) Status: New => Invalid ** Tags added: regression-update -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
shim-signed upload is blocked on the availability of a new signed binary from Microsoft that includes the fix for bug #1928434. The shim part of the test case will therefore fail until then, but this should not block release of the grub fixes. ** Changed in: shim-signed (Ubuntu Xenial) Assignee: (unassigned) => Steve Langasek (vorlon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
** Changed in: grub2-signed (Ubuntu Xenial) Status: New => In Progress ** Changed in: grub2-signed (Ubuntu Bionic) Status: New => In Progress ** Changed in: grub2-unsigned (Ubuntu Xenial) Status: New => In Progress ** Changed in: grub2-unsigned (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
** Description changed: [Impact] Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi. The fact that \EFI\boot is not updated on xenial cloud images is ALSO an issue on amd64 - it doesn't lead to a boot failure there because we do support secureboot on xenial/amd64, so the bootloader doesn't depend on loading modules from /boot/grub; however, \EFI\boot not being uploaded means that the systems still do not benefit from the updated grub, AND are subject to boot failures in the future due to the fact that the old shim has been revoked by Microsoft and these revocations may propagate to the cloud instance's revocation database in nvram, one way or another. [Test Case] - Boot an arm64 Ubuntu image in AWS - Enable -proposed - Upgrade the grub-efi-amd64 package - Reboot - Verify that the system comes up - Boot an amd64 Ubuntu image in GCE - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Enabled -proposed - Upgrade the grub-efi-amd64-signed package - Reboot - Verify that the system comes up - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Upgrade the shim-signed package - Reboot - Verify that the system comes up [Where problems could occur] Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade. This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting). In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series. If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU. + + The risk of this causing a problem for users is mitigated on bionic by + the fact that all the most recent install media for Ubuntu 18.04 also + install shim+grub to the removable path, so this is already the default + behavior. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
** Description changed: [Impact] Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi. The fact that \EFI\boot is not updated on xenial cloud images is ALSO an issue on amd64 - it doesn't lead to a boot failure there because we do support secureboot on xenial/amd64, so the bootloader doesn't depend on loading modules from /boot/grub; however, \EFI\boot not being uploaded means that the systems still do not benefit from the updated grub, AND are subject to boot failures in the future due to the fact that the old shim has been revoked by Microsoft and these revocations may propagate to the cloud instance's revocation database in nvram, one way or another. [Test Case] - Boot an arm64 Ubuntu image in AWS - Enable -proposed - Upgrade the grub-efi-amd64 package - Reboot - Verify that the system comes up - - Boot an amd64 Ubuntu image in AWS - - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - - Enabled -proposed - - Upgrade the grub-efi-amd64-signed package - - Reboot - - Verify that the system comes up - - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - - Upgrade the shim-signed package - - Reboot - - Verify that the system comes up - - Boot an amd64 Ubuntu image in GCE - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Enabled -proposed - Upgrade the grub-efi-amd64-signed package - Reboot - Verify that the system comes up - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Upgrade the shim-signed package - Reboot - Verify that the system comes up [Where problems could occur] Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade. This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting). In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series. If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930742] Re: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
** Description changed: [Impact] Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi. The fact that \EFI\boot is not updated on xenial cloud images is ALSO an issue on amd64 - it doesn't lead to a boot failure there because we do support secureboot on xenial/amd64, so the bootloader doesn't depend on loading modules from /boot/grub; however, \EFI\boot not being uploaded means that the systems still do not benefit from the updated grub, AND are subject to boot failures in the future due to the fact that the old shim has been revoked by Microsoft and these revocations may propagate to the cloud instance's revocation database in nvram, one way or another. [Test Case] - Boot an arm64 Ubuntu image in AWS - Enable -proposed - Upgrade the grub-efi-amd64 package - Reboot - Verify that the system comes up - Boot an amd64 Ubuntu image in AWS - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Enabled -proposed - Upgrade the grub-efi-amd64-signed package - Reboot - Verify that the system comes up - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi - Upgrade the shim-signed package - Reboot - Verify that the system comes up + - Boot an amd64 Ubuntu image in GCE + - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi + - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi + - Enabled -proposed + - Upgrade the grub-efi-amd64-signed package + - Reboot + - Verify that the system comes up + - rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi + - touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi + - Upgrade the shim-signed package + - Reboot + - Verify that the system comes up [Where problems could occur] Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade. This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting). In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series. If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU. ** Changed in: grub2-signed (Ubuntu Xenial) Assignee: (unassigned) => Steve Langasek (vorlon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930742 Title: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs