Ubuntu
grub2 package

EFI fallback binary should not be installed in --removable mode

Bug #1684341 reported by Mathieu Trudel-Lapierre
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
grub2 (Ubuntu)
Fix Released
Critical
Mathieu Trudel-Lapierre
Ubuntu ubuntu-17.05
Trusty
Confirmed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Fix Released
Critical
Mathieu Trudel-Lapierre
Ubuntu ubuntu-17.05

Bug Description

[Impact]
Building some images depending on calling grub-install --removable still installs fbx64.efi; which we don't want on removable media.

[Test case]
On an EFI system, run 'grub-install --removable --target=x86_64-efi'. Observe whether fbx64.efi is installed to /boot/efi/EFI/BOOT. It should not.

[Regression potential]
If any system is depending on running grub-install with --removable, and on fbx64.efi being installed in /boot/efi/EFI/BOOT; this would cause this assumption to fail -- leading to incorrect fallback behavior when BootEntries are not present on a system.

Failures to boot with "System BootOrder not found" errors should be considered a possible regression.

Any missing files in /boot/efi/EFI/BOOT or /boot/efi/EFI/ubuntu after install should be considered a potential regression of this update.

----

The patch I did to fix names for the new naming of shim binaries included the addition of fbx64.efi; but it was done wrong: fbx64.efi should only exist under \EFI\BOOT, it's not required in the "removable" path; except if we're trying to force installing to the removable path *too*.

In other words:
1) we normally don't want /EFI/ubuntu/fbx64.efi to exist;

and
a) on a desktop or server, we want /EFI/BOOT/fbx64.efi to exist (ie. installs without --removable, and with --force-extra-removable used when grub-install was called);
b) on removable media, we do not want /EFI/BOOT/fbx64.efi to exist (ie. when grub-installed is called with --removable).

Furthermore, the (a) case is probably not the typical case we want to run grub-install with. Calls to grub-install with --force-extra-removable probably should be limited to shim-signed's postinst.

In any case, let's move the fbx64.efi installation step to also_install_removable() in grub-installer to avoid installing it when it shouldn't be.

See original description
Mathieu Trudel-Lapierre (cyphermox)
summary: - EFI fallback binary should only be installed in removable path
+ EFI fallback binary should only be installed in force-extra-removable
Changed in grub2 (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
status: Triaged → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
milestone: none → ubuntu-17.05
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Mathieu Trudel-Lapierre (cyphermox)
summary: - EFI fallback binary should only be installed in force-extra-removable
+ EFI fallback binary should not be installed in --removable mode
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu3

---------------
grub2 (2.02~beta3-4ubuntu3) artful; urgency=medium

  * debian/patches/install_signed.patch, grub-install-extra-removable.patch:
    - Make sure if we install shim; it should also be exported as the default
      bootloader to install later to a removable path, if we do.
    - Rework grub-install-extra-removable.patch to reverse its logic: in the
      default case, install the bootloader to /EFI/BOOT, unless we're trying
      to install on a removable device, or explicitly telling grub *not* to
      do it.
    - Move installing fb$arch.efi to --no-extra-removable; as we don't want
      fallback to be installed unless we're also installing to /EFI/BOOT.
      (LP: #1684341)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 26 Apr 2017 21:08:22 -0400

Changed in grub2 (Ubuntu):
status: In Progress → Fix Released
Dan Watkins (oddbloke)
Changed in cloud-images:
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu Trusty):
status: New → Confirmed
Changed in grub2 (Ubuntu Xenial):
status: New → Confirmed
Changed in grub2 (Ubuntu Yakkety):
status: New → Confirmed
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of grub2 to xenial-proposed has been rejected from the upload queue for the following reason: "SRU should handle removal of /boot/efi/EFI/ubuntu/fb$arch.efi on disk".

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.66.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of grub2 to yakkety-proposed has been rejected from the upload queue for the following reason: "needs upgrade handling to remove /boot/efi/EFI/ubuntu/fbx64.efi".

Revision history for this message
DorianDaumiller (dorian-daumiller) wrote :

looks like this change broke the installation process of grub-pc_2.02~beta2-36ubuntu3.10 for me (syntax-error in grub-pc.postinst). Please see bug #1692175, which is for grub-efi-amd64 2.02~beta2-36ubuntu3.10 but I believe the file might be the same anyway.

Side question: How do you link two bugs as related if they're not duplicates?

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [grub2/xenial] possible regression found

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of grub2 from xenial-proposed was performed and bug 1692181 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1692181 (not this bug). Thanks!

tags: added: verification-failed
Łukasz Zemczak (sil2100)
tags: removed: verification-failed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Mathieu, or anyone else affected,

Accepted grub2 into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta3-4ubuntu2.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Zesty):
status: In Progress → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu11.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Yakkety):
status: Confirmed → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.80.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.74.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done on xenial:

Preparing to unpack .../grub-efi-amd64-signed_1.66.11+2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.66.11+2.02~beta2-36ubuntu3.11) over (1.66.9+2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-efi-amd64_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub2-common_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub2-common (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-efi-amd64-bin_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...
Preparing to unpack .../grub-common_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-common (2.02~beta2-36ubuntu3.11) over (2.02~beta2-36ubuntu3.9) ...

I've verified that the fbx64.efi file is indeed no longer installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.11

---------------
grub2 (2.02~beta2-36ubuntu3.11) xenial; urgency=medium

  * Fix syntax error in debian/postinst.in. (LP #1692181)

 -- Steve Langasek <email address hidden> Sat, 20 May 2017 12:59:17 -0700

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done for yakkety:

Preparing to unpack .../0-grub-efi-amd64-signed_1.74.3+2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.74.3+2.02~beta2-36ubuntu11.3) over (1.74.2+2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../1-grub-efi-amd64_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../2-grub2-common_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub2-common (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../3-grub-efi-amd64-bin_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...
Preparing to unpack .../4-grub-common_2.02~beta2-36ubuntu11.3_amd64.deb ...
Unpacking grub-common (2.02~beta2-36ubuntu11.3) over (2.02~beta2-36ubuntu11.2) ...

I have verified that the fbx64.efi file is no longer installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-yakkety
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done for zesty:

Preparing to unpack .../grub-efi-amd64-signed_1.80.1+2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.80.1+2.02~beta3-4ubuntu2.1) over (1.80+2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-efi-amd64_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub2-common_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub2-common (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-efi-amd64-bin_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...
Preparing to unpack .../grub-common_2.02~beta3-4ubuntu2.1_amd64.deb ...
Unpacking grub-common (2.02~beta3-4ubuntu2.1) over (2.02~beta3-4ubuntu2) ...

I have verified that fbx64.efi is no longer getting installed in /boot/efi/EFI/ubuntu.

tags: added: verification-done-zesty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu2.1

---------------
grub2 (2.02~beta3-4ubuntu2.1) zesty; urgency=medium

  * debian/patches/install_signed.patch: don't install fb$arch.efi; it breaks
    "removable" installs where files are all installed to /EFI/BOOT; and it
    also doesn't belong in the /EFI/ubuntu path for the default case. Fallback
    install simply needs more work and isn't ready for SRU. (LP: #1684341)
  * debian/postinst.in: clean up fb$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 24 May 2017 16:25:17 -0400

Changed in grub2 (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu11.3

---------------
grub2 (2.02~beta2-36ubuntu11.3) yakkety; urgency=medium

  * debian/patches/install_signed.patch: don't install fb$arch.efi; it breaks
    "removable" installs where files are all installed to /EFI/BOOT; and it
    also doesn't belong in the /EFI/ubuntu path for the default case. Fallback
    install simply needs more work and isn't ready for SRU. (LP: #1684341)
  * debian/postinst.in: clean up fb$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 May 2017 18:26:30 -0400

Changed in grub2 (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Scott Moser (smoser)
no longer affects: cloud-images
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.