grub

Merge ~juliank/grub/+git/bionic:master into ~ubuntu-core-dev/grub/+git/bionic:master

  1. Git
  2. lp:~juliank/grub/+git/bionic
  3. master
  4. Merge into master
Proposed by Julian Andres Klode
Status: Needs review
Proposed branch: ~juliank/grub/+git/bionic:master
Merge into: ~ubuntu-core-dev/grub/+git/bionic:master
Diff against target: 66 lines (+17/-3)
3 files modified
debian/changelog (+7/-0)
debian/control (+1/-1)
debian/grub-check-signatures (+9/-2)
Reviewer Review Type Date Requested Status
Steve Langasek Pending
Review via email: mp+436705@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

Also uploaded to the SRU queue. Things to note:

1. most systems should have UEFI boot and BIOS boot in parallel so need this anyhow
2. focal and later have the Depends in grub-common too, just it uses the library instead of the tool.
3. we want to have one signed binary of grub across all stable series to reduce number of assets signed, and prevent regressions from toolchain differences. Especially older toolchains may just produce wrong code for EFI.

Reply
Revision history for this message
Julian Andres Klode (juliank) wrote :

Yes, the grub-check-signatures would be nicer with traps, but this is the exact code that's in all other stable series, not introducing regression potential now.

Reply

Unmerged commits

a6a8a56... by Julian Andres Klode

releasing package grub2 version 2.02-2ubuntu8.26

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index dd62890..b8b1a3d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
1grub2 (2.02-2ubuntu8.26) bionic; urgency=medium
2
3 * Have grub-common depend on efibootmgr on amd64, arm64, i386 (LP: #1936857)
4 * grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
5
6 -- Julian Andres Klode <juliank@ubuntu.com> Wed, 01 Feb 2023 18:49:01 +0100
7
1grub2 (2.02-2ubuntu8.25) bionic; urgency=medium8grub2 (2.02-2ubuntu8.25) bionic; urgency=medium
29
3 [ Colin Watson ]10 [ Colin Watson ]
diff --git a/debian/control b/debian/control
index 708ba7b..92ae551 100644
--- a/debian/control
+++ b/debian/control
@@ -72,7 +72,7 @@ Description: GRand Unified Bootloader, version 2 (dummy package)
72Package: grub-common72Package: grub-common
73Priority: optional73Priority: optional
74Architecture: any74Architecture: any
75Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}75Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}, efibootmgr [amd64 arm64 i386]
76Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4)76Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4)
77Recommends: os-prober (>= 1.33)77Recommends: os-prober (>= 1.33)
78Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup78Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup
diff --git a/debian/grub-check-signatures b/debian/grub-check-signatures
index 3d41c3c..edc171e 100755
--- a/debian/grub-check-signatures
+++ b/debian/grub-check-signatures
@@ -54,8 +54,13 @@ extract_known_keys() {
5454
55# Check if a given kernel image is signed55# Check if a given kernel image is signed
56is_signed() {56is_signed() {
57 kernel=$1
57 tmp=$(mktemp)58 tmp=$(mktemp)
58 sbattach --detach $tmp $1 >/dev/null 2>/dev/null # that's ugly...59 kernel_tmp=$(mktemp)
60 if zcat $kernel > $kernel_tmp 2>/dev/null; then
61 kernel=$kernel_tmp
62 fi
63 sbattach --detach $tmp $kernel >/dev/null 2>/dev/null # that's ugly...
59 test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size64 test "$(wc -c < $tmp)" -ge 16 # Just _some_ minimum size
60 result=$?65 result=$?
61 if [ $result -eq 0 ]; then66 if [ $result -eq 0 ]; then
@@ -64,9 +69,10 @@ is_signed() {
64 rm $tmp69 rm $tmp
65 if [ $result -eq 0 ]; then70 if [ $result -eq 0 ]; then
66 for crtfile in $tmpdir/*.crt; do71 for crtfile in $tmpdir/*.crt; do
67 sbverify --cert $crtfile $1 >/dev/null 2>/dev/null72 sbverify --cert $crtfile $kernel >/dev/null 2>/dev/null
68 result=$?73 result=$?
69 if [ $result -eq 0 ]; then74 if [ $result -eq 0 ]; then
75 rm "$kernel_tmp"
70 return $result;76 return $result;
71 fi77 fi
72 done78 done
@@ -75,6 +81,7 @@ is_signed() {
75 else81 else
76 echo "$1 is unsigned." >&282 echo "$1 is unsigned." >&2
77 fi83 fi
84 rm "$kernel_tmp"
78 return $result85 return $result
79}86}
8087

Subscribers

People subscribed via source and target branches