group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #15234
[Bug 1696599] Re: backport/sync UEFI, Secure Boot support
This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.12
---------------
grub2 (2.02~beta2-36ubuntu3.12) xenial; urgency=medium
* debian/patches: Rework linuxefi/SecureBoot support and sync with upstream
SB patch set: (LP: #1696599)
- linuxefi_backport_arm64.patch: backport basic arm64 chainload/linux
command support from 17.04.
- linuxefi_arm_sb_support.patch: add Secure Boot support for arm for its
chainloader.
- linuxefi_fix_validation_race.patch: Fix a race in validating images.
- linuxefi_chainloader_path.patch: honor the starting path for grub, so
images do not need to be started from $root.
- linuxefi_chainloader_sb.patch: Fix some more issues in chainloader use
when Secure Boot is enabled.
- linuxefi_loaders_enforce_sb.patch: Enforce Secure Boot policy for all
loaders: don't load the commands when Secure Boot is enabled.
- linuxefi_re-enable_linux_cmd.patch: Since we rely on the linux and
initrd commands to automatically hand-off to linuxefi/initrdefi; re-
enable the linux loader.
- linuxefi_chainloader_pe_fixes.patch: PE parsing fixes for chainloading
"special" PE images, such as Windows'.
- linuxefi_rework_non-sb_cases.patch: rework cases where Secure Boot is
disabled or shim validation is disabled so loading works as EFI binaries
when it is supposed to.
- Removed linuxefi_require_shim.patch; superseded by the above.
(LP: #1689687)
* debian/patches/git_tsc_use_alt_delay_sources_d43a5ee6.patch: refreshed.
* debian/patches/arm64-set-correct-length-of-device-path-end-entry.patch:
dropped; included in linuxefi_backport_arm64.patch.
-- Mathieu Trudel-Lapierre <cyphermox@xxxxxxxxxx> Thu, 08 Jun 2017
10:16:17 -0700
** Changed in: grub2 (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** Changed in: grub2-signed (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1696599
Title:
backport/sync UEFI, Secure Boot support
Status in grub2 package in Ubuntu:
Fix Released
Status in grub2-signed package in Ubuntu:
Fix Released
Status in grub2 source package in Trusty:
New
Status in grub2-signed source package in Trusty:
New
Status in grub2 source package in Xenial:
Fix Released
Status in grub2-signed source package in Xenial:
Fix Released
Status in grub2 source package in Yakkety:
Won't Fix
Status in grub2-signed source package in Yakkety:
Won't Fix
Status in grub2 source package in Zesty:
Fix Released
Status in grub2-signed source package in Zesty:
Fix Released
Status in grub2 source package in Artful:
Fix Released
Status in grub2-signed source package in Artful:
Fix Released
Bug description:
[Impact]
Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb.
This SRU is handled as a wholesale "sync" with a known set of patches
rather than individual cherry-picks given the high risk in cherry-
picking individual changes; we do not want to risk subtly breaking
Secure Boot support or introducing a security issue due to using
different sets of patches across our currently supported releases.
Using a common set of patches across releases and making sure we're in
sync with "upstream" for that particular section of the grub2 codebase
(specifically, UEFI/SB support is typically outside the GNU GRUB tree)
allows us to make sure UEFI Secure Boot remains supportable and that
potential security issues are easy to fix quickly given the complexity
of the codebase.
This is a complex set of enablement patches; most of them will be
fairly straightforward backports, but there are a few known warts:
* The included patches are based on grub2 2.02~beta3; as such, some
patches require extra backporting effort of other pieces of the loader
code down to releases that do not yet include 2.02~beta3 code.
[Test Case]
The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).
Tests should include:
- booting with Secure Boot enabled
- booting with Secure Boot enabled, but shim validation disabled
- booting with Secure Boot disabled, but still in EFI mode
[Regression Potential]
Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions
References