Having reviewed and discussed the changes to grub in the SRU queue, I
have concluded that the grub2 SRU is both insufficient (because upgrade
ordering does not ensure that the update-secureboot-policy command is
available when grub is upgraded) and unnecessary (because shim-signed
should apply the policy itself, so grub doesn't need to).
I am rejecting / removing the grub2 and grub2-signed SRUs for this.
shim-signed needs a reupload, so that it directly calls update-
secureboot-policy in postinst on upgrade - not just when triggered by
another package.
Later, when we are changing grub to refuse to boot kernels whose
signature doesn't verify, we will need to ensure that an appropriate
version of shim-signed is installed first. But that should be done with
a Breaks against older versions of shim, not with conditional postinst
logic.
** Changed in: grub2-signed (Ubuntu Wily)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1574727
Title:
[SRU] Enforce using signed kernels and modules on UEFI
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
