** Description changed: [Impact] - Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb. This is a complex set of enablement patches across a number of packages. Most of them will be fairly straightforward backports, but there are a few known warts: + Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb. - * The included patches are based on grub2 2.02~beta3; as such, some + This SRU is handled as a wholesale "sync" with a known set of patches + rather than individual cherry-picks given the high risk in cherry- + picking individual changes; we do not want to risk subtly breaking + Secure Boot support or introducing a security issue due to using + different sets of patches across our currently supported releases. Using + a common set of patches across releases and making sure we're in sync + with "upstream" for that particular section of the grub2 codebase + (specifically, UEFI/SB support is typically outside the GNU GRUB tree) + allows us to make sure UEFI Secure Boot remains supportable and that + potential security issues are easy to fix quickly given the complexity + of the codebase. + + This is a complex set of enablement patches; most of them will be fairly + straightforward backports, but there are a few known warts: + + * The included patches are based on grub2 2.02~beta3; as such, some patches require extra backporting effort of other pieces of the loader code down to releases that do not yet include 2.02~beta3 code. [Test Case] The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled). Tests should include: - booting with Secure Boot enabled - booting with Secure Boot enabled, but shim validation disabled - booting with Secure Boot disabled, but still in EFI mode [Regression Potential] Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1696599 Title: backport/sync UEFI, Secure Boot support To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
