cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable

Bug #1930742 reported by Steve Langasek
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Steve Langasek
Bionic
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Fix Released
Undecided
Steve Langasek
Bionic
Invalid
Undecided
Unassigned

Bug Description

[Impact]
Verification of the previous SRU, bug #1928674, exposed that we have a regression on xenial/arm64 cloud images because they boot from the removable media path, which is not updated by the maintainer scripts in those images; and because we have never supported the monolithic signed EFI executable on xenial/arm64, there is an ABI mismatch between the updated contents of /boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi.

The fact that \EFI\boot is not updated on xenial cloud images is ALSO an issue on amd64 - it doesn't lead to a boot failure there because we do support secureboot on xenial/amd64, so the bootloader doesn't depend on loading modules from /boot/grub; however, \EFI\boot not being uploaded means that the systems still do not benefit from the updated grub, AND are subject to boot failures in the future due to the fact that the old shim has been revoked by Microsoft and these revocations may propagate to the cloud instance's revocation database in nvram, one way or another.

[Test Case]
- Boot an arm64 Ubuntu image in AWS
- Enable -proposed
- Upgrade the grub-efi-amd64 package
- Reboot
- Verify that the system comes up

- Boot an amd64 Ubuntu image in GCE
- rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- Enabled -proposed
- Upgrade the grub-efi-amd64-signed package
- Reboot
- Verify that the system comes up
- rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- Upgrade the shim-signed package
- Reboot
- Verify that the system comes up

[Where problems could occur]
Because there were no provisions in the cloud images at the time they were built for updates to \EFI\boot, the only practical way to fix this for existing images (which is where the upgrade bug is an issue) is by unconditionally installing to the removable media path on all systems as part of the upgrade. This means that non-cloud systems, which do not normally boot Ubuntu via \EFI\boot, will have the contents of \EFI\boot replaced when this was not previously the case (and contrary to the debconf setting). In newer Ubuntu releases, we install to \EFI\boot unconditionally; but this is a behavior change in a stable series. If a user has something other than Ubuntu grub+shim installed to \EFI\boot, this may be an unexpected behavior change from an SRU.

The risk of this causing a problem for users is mitigated on bionic by the fact that all the most recent install media for Ubuntu 18.04 also install shim+grub to the removable path, so this is already the default behavior.

Steve Langasek (vorlon)
Changed in grub2-signed (Ubuntu):
status: New → Invalid
Changed in grub2-unsigned (Ubuntu):
status: New → Invalid
Changed in shim-signed (Ubuntu):
status: New → Invalid
Steve Langasek (vorlon)
description: updated
Changed in grub2-signed (Ubuntu Xenial):
assignee: nobody → Steve Langasek (vorlon)
Steve Langasek (vorlon)
description: updated
Steve Langasek (vorlon)
description: updated
Steve Langasek (vorlon)
Changed in grub2-signed (Ubuntu Xenial):
status: New → In Progress
Changed in grub2-signed (Ubuntu Bionic):
status: New → In Progress
Changed in grub2-unsigned (Ubuntu Xenial):
status: New → In Progress
Changed in grub2-unsigned (Ubuntu Bionic):
status: New → In Progress
Revision history for this message
Steve Langasek (vorlon) wrote :

shim-signed upload is blocked on the availability of a new signed binary from Microsoft that includes the fix for bug #1928434. The shim part of the test case will therefore fail until then, but this should not block release of the grub fixes.

Changed in shim-signed (Ubuntu Xenial):
assignee: nobody → Steve Langasek (vorlon)
Revision history for this message
Steve Langasek (vorlon) wrote :

Because grub-install in bionic and later also defaults to installing to the removable path, shim-signed in bionic does not need any update for this; the bionic SRUs of grub are only necessary because grub2-unsigned is shared between xenial and bionic.

Changed in shim-signed (Ubuntu Bionic):
status: New → Invalid
tags: added: regression-update
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~16.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-signed (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in grub2-signed (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~18.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-unsigned into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

grub2-unsigned binary copied from bionic-proposed to xenial-proposed.

Changed in grub2-unsigned (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Joshua Powers (powersj) wrote :

Launched c6g.metal, a1.metal, and t4g.medium instance with Xenial (20210429) on upgrade of all three I got the following error:

grub-install: error: relocation 0x113 is not implemented yet.
Failed: grub-install --target=arm64-efi
WARNING: Bootloader is not properly installed, system may not be bootable

Log: https://paste.ubuntu.com/p/khgMBYH86N/
Script: https://paste.ubuntu.com/p/cnTHCd8hGQ/

Marking verification verification-failed-xenial

tags: added: verification-failed-xenial
removed: verification-needed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-unsigned into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-xenial
removed: verification-failed-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.167~16.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-unsigned into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.04-1ubuntu44.1.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Julian Andres Klode (juliank) wrote :

The relocation failure on install is not a regression vs 44.1 in -updates though, anyway. We should only fail on regressions, not make fixing additional issues requisites for verifying new issues.

But oh well, Steve fixed it, but I'd like to make sure we actually test the same things and don't come up with new tests each time that then fail but are not actually regressions compared to -updates.

Revision history for this message
Julian Andres Klode (juliank) wrote :

To be clear: This means the test case was wrong, as it was possible to construct systems where this worked before such as canonistack, but clearly there are also systems where the relocation becomes an issue at grub-install time.

I personally never tested on AWS (I have credentials somewhere, I think, used some in 2018), only Canonistack, but I'm reasonably certain that dannf did see the same relocation issue in 44.1 as well.

Revision history for this message
Joshua Powers (powersj) wrote :

# Xenial AWS Verification

## Test Steps

Booted AWS arm64 baremetal and VM systems
Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/
Ensure system successfully reboots

## Results

Both systems successfully updated grub from proposed and rebooted

t4g.medium: https://paste.ubuntu.com/p/ys4hgfTfRm/
c6g.metal: https://paste.ubuntu.com/p/2RFYbCmFxh/

Revision history for this message
Joshua Powers (powersj) wrote :

# Bionic AWS Verification

## Test Steps

Booted AWS arm64 baremetal and VM systems
Ran the following script: https://paste.ubuntu.com/p/B5XPR8StXy/
Ensure system successfully reboots

## Results

t4g.medium: https://paste.ubuntu.com/p/QH8Xrr4Sck/
c6g.metal: https://paste.ubuntu.com/p/4q688QqC4v/

Both systems successfully updated grub from proposed and rebooted.

However, on the c6g.metal instance, while apt did not report an error, there were error messages printed out:

Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin
Setting up grub-efi-arm64-signed (1.167~18.04.5+2.04-1ubuntu44.1.2) ...

Can this error please either be fixed or explained in this bug before marking verification-done

Revision history for this message
Joshua Powers (powersj) wrote :

# GCE Verification

## Test Steps

Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot
Ran the following script: https://paste.ubuntu.com/p/BDwhF4KHZ2/
Ensure system successfully reboots

## Xenial Results

uEFI only: https://paste.ubuntu.com/p/vhxkYy5F43/
uEFI+Secure Boot: https://paste.ubuntu.com/p/hwr9Z4qdZB/

Both systems successfully rebooted.

## Bionic Results

The bionic systems did not have these files so removing and touching them was not done:

/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/grubx64.efi

uEFI only: https://paste.ubuntu.com/p/tMrs2jJrDc/
uEFI+Secure Boot: https://paste.ubuntu.com/p/xgwG6FVwCt/

Both systems successfully rebooted.

Revision history for this message
Joshua Powers (powersj) wrote :

Testing complete, if someone can explain the error messages in comment #15 we can mark this verification-done.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

```
However, on the c6g.metal instance, while apt did not report an error, there were error messages printed out:

Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_arm64.bin
Setting up grub-efi-arm64-signed (1.167~18.04.5+2.04-1ubuntu44.1.2) ...
```

Yes this is mostly harmless. dbxupdates are attempted, but never fatal, and will be retried on every boot, until they work. or not.

It is an indication that efivariable storage is not working, but also shouldn't matter on that instance type as it doesn't have UEFI secureboot.

Revision history for this message
Joshua Powers (powersj) wrote :

After verifying that the "error" messages in #15 is ignorable, marking this verification done.

tags: added: verification-done verification-done-bionic verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2

---------------
grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium

  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support. LP: #1926748.

grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium

  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:12:58 -0700

Changed in grub2-unsigned (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~16.04.6

---------------
grub2-signed (1.167~16.04.6) xenial; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748.

grub2-signed (1.167~16.04.5) xenial; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.1.
  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:26:45 -0700

Changed in grub2-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote : Update Released

The verification of the Stable Release Update for grub2-unsigned has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-unsigned - 2.04-1ubuntu44.1.2

---------------
grub2-unsigned (2.04-1ubuntu44.1.2) bionic; urgency=medium

  * Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
    necessary arm relocation support. LP: #1926748.

grub2-unsigned (2.04-1ubuntu44.1.1) bionic; urgency=medium

  * debian/postinst.in: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:12:58 -0700

Changed in grub2-unsigned (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.167~18.04.5

---------------
grub2-signed (1.167~18.04.5) bionic; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.2. LP: #1926748.

grub2-signed (1.167~18.04.4) bionic; urgency=medium

  * Rebuild against grub2 2.04-1ubuntu44.1.1. LP: #1930742.

 -- Steve Langasek <email address hidden> Mon, 07 Jun 2021 13:25:54 -0700

Changed in grub2-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
Changed in grub2-signed (Ubuntu):
status: Invalid → Fix Released
Changed in grub2-unsigned (Ubuntu):
status: Invalid → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Joshua Powers (powersj) wrote :

# GCE Verification

## Test Steps

Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot
Ran the following script: https://paste.ubuntu.com/p/K2DpvcbYNG/
Ensure system successfully reboots

## Xenial Results

uEFI only: https://paste.ubuntu.com/p/kqjn5YbYCb/
uEFI+Secure Boot: https://paste.ubuntu.com/p/xZ5t24P7nr/

Both systems reboot successfully! Marking verification done.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
removed: verification-done verification-done-xenial
Revision history for this message
Joshua Powers (powersj) wrote :

# GCE Verification

## Test Steps

Booted GCE amd64 systems with uEFI-only and uEFI+Secure Boot
Ran the following script: https://paste.ubuntu.com/p/K2DpvcbYNG/
Ensure system successfully reboots

## Xenial Results

uEFI only: https://paste.ubuntu.com/p/nwcjCSVTRD/
uEFI+Secure Boot: https://paste.ubuntu.com/p/KZ8tS9zkKr/

Both systems reboot successfully! Marking verification done.

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted grub2-unsigned into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.06-2ubuntu10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2-unsigned (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
removed: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-...

Read more...

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

This has been rolled back to jammy-proposed due to LP: ##1990684.

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Released → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.8 KiB)

This bug was fixed in the package grub2-unsigned - 2.06-2ubuntu10

---------------
grub2-unsigned (2.06-2ubuntu10) jammy; urgency=medium

  [ Chris Coulson ]
  * SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
    write in heap.
    - 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
      video/readers/png: Drop greyscale support to fix heap out-of-bounds write
    - CVE-2021-3695
  * SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
    huffman table handling.
    - 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
      video/readers/png: Avoid heap OOB R/W inserting huff table items
    - CVE-2021-3696
  * SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
    the heap.
    - 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
      video/readers/jpeg: Block int underflow -> wild pointer write
    - CVE-2021-3697
  * SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
    - 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
      maths safely
    - CVE-2022-28733
  * SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
    - 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
      OOB write for split http headers
    - CVE-2022-28734
  * SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
    - 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
      kern/efi/sb: Reject non-kernel files in the shim_lock verifier
    - CVE-2022-28735
  * SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
    - 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
      loader/efi/chainloader: simplify the loader state
    - 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
      Add API to pass context to loader
    - 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
      loader/efi/chainloader: Use grub_loader_set_ex
    - 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
      loader/i386/efi/linux: Use grub_loader_set_ex
  * Various fixes as a result of fuzzing and static analysis:
    - 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
      loader/efi/chainloader: grub_load_and_start_image doesn't load and start
    - 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
      loader/i386/efi/linux: Fix a memory leak in the initrd command
    - 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
      kern/file: Do not leak device_name on error in grub_file_open()
    - 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
      video/readers/png: Abort sooner if a read operation fails
    - 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
      video/readers/png: Refuse to handle multiple image headers
    - 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
      video/readers/png: Sanity check some huffman codes
    - 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
      video/readers/jpeg: Abort sooner if a read operation fails
    - 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-...

Read more...

Changed in grub2-unsigned (Ubuntu Jammy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.