grub

Merge ~juliank/grub/+git/bionic:master into ~ubuntu-core-dev/grub/+git/bionic:master

  1. Git
  2. lp:~juliank/grub/+git/bionic
  3. master
  4. Merge into master
Proposed by Julian Andres Klode
Status: Needs review
Proposed branch: ~juliank/grub/+git/bionic:master
Merge into: ~ubuntu-core-dev/grub/+git/bionic:master
Diff against target: 66 lines (+17/-3)
3 files modified
debian/changelog (+7/-0)
debian/control (+1/-1)
debian/grub-check-signatures (+9/-2)
Reviewer Review Type Date Requested Status
Steve Langasek Pending
Review via email: mp+436705@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

Also uploaded to the SRU queue. Things to note:

1. most systems should have UEFI boot and BIOS boot in parallel so need this anyhow
2. focal and later have the Depends in grub-common too, just it uses the library instead of the tool.
3. we want to have one signed binary of grub across all stable series to reduce number of assets signed, and prevent regressions from toolchain differences. Especially older toolchains may just produce wrong code for EFI.

Reply
Revision history for this message
Julian Andres Klode (juliank) wrote :

Yes, the grub-check-signatures would be nicer with traps, but this is the exact code that's in all other stable series, not introducing regression potential now.

Reply

Unmerged commits

a6a8a56... by Julian Andres Klode

releasing package grub2 version 2.02-2ubuntu8.26

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index dd62890..b8b1a3d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+grub2 (2.02-2ubuntu8.26) bionic; urgency=medium
7+
8+ * Have grub-common depend on efibootmgr on amd64, arm64, i386 (LP: #1936857)
9+ * grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
10+
11+ -- Julian Andres Klode <juliank@ubuntu.com> Wed, 01 Feb 2023 18:49:01 +0100
12+
13 grub2 (2.02-2ubuntu8.25) bionic; urgency=medium
14
15 [ Colin Watson ]
16diff --git a/debian/control b/debian/control
17index 708ba7b..92ae551 100644
18--- a/debian/control
19+++ b/debian/control
20@@ -72,7 +72,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
21 Package: grub-common
22 Priority: optional
23 Architecture: any
24-Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}
25+Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}, efibootmgr [amd64 arm64 i386]
26 Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4)
27 Recommends: os-prober (>= 1.33)
28 Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup
29diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
30index 3d41c3c..edc171e 100755
31--- a/debian/grub-check-signatures
32+++ b/debian/grub-check-signatures
33@@ -54,8 +54,13 @@ extract_known_keys() {
34
35 # Check if a given kernel image is signed
36 is_signed() {
37+ kernel=$1
38 tmp=$(mktemp)
39- sbattach --detach $tmp $1 >/dev/null 2>/dev/null # that's ugly...
40+ kernel_tmp=$(mktemp)
41+ if zcat $kernel > $kernel_tmp 2>/dev/null; then
42+ kernel=$kernel_tmp
43+ fi
44+ sbattach --detach $tmp $kernel >/dev/null 2>/dev/null # that's ugly...
45 test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size
46 result=$?
47 if [ $result -eq 0 ]; then
48@@ -64,9 +69,10 @@ is_signed() {
49 rm $tmp
50 if [ $result -eq 0 ]; then
51 for crtfile in $tmpdir/*.crt; do
52- sbverify --cert $crtfile $1 >/dev/null 2>/dev/null
53+ sbverify --cert $crtfile $kernel >/dev/null 2>/dev/null
54 result=$?
55 if [ $result -eq 0 ]; then
56+ rm "$kernel_tmp"
57 return $result;
58 fi
59 done
60@@ -75,6 +81,7 @@ is_signed() {
61 else
62 echo "$1 is unsigned." >&2
63 fi
64+ rm "$kernel_tmp"
65 return $result
66 }
67

Subscribers

People subscribed via source and target branches