group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Wed, 15 Aug 2018 00:43:32 -0000
Reply-to: Bug 1696599 <1696599@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Superseded by LP: #1708245 for trusty.

** Changed in: grub2 (Ubuntu Trusty)
       Status: New => Won't Fix

** Changed in: grub2-signed (Ubuntu Trusty)
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Trusty:
  Won't Fix
Status in grub2-signed source package in Trusty:
  Won't Fix
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in grub2 source package in Yakkety:
  Won't Fix
Status in grub2-signed source package in Yakkety:
  Won't Fix
Status in grub2 source package in Zesty:
  Fix Released
Status in grub2-signed source package in Zesty:
  Fix Released
Status in grub2 source package in Artful:
  Fix Released
Status in grub2-signed source package in Artful:
  Fix Released

Bug description:
  [Impact]
  Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb.

  This SRU is handled as a wholesale "sync" with a known set of patches
  rather than individual cherry-picks given the high risk in cherry-
  picking individual changes; we do not want to risk subtly breaking
  Secure Boot support or introducing a security issue due to using
  different sets of patches across our currently supported releases.
  Using a common set of patches across releases and making sure we're in
  sync with "upstream" for that particular section of the grub2 codebase
  (specifically, UEFI/SB support is typically outside the GNU GRUB tree)
  allows us to make sure UEFI Secure Boot remains supportable and that
  potential security issues are easy to fix quickly given the complexity
  of the codebase.

  This is a complex set of enablement patches; most of them will be
  fairly straightforward backports, but there are a few known warts:

   * The included patches are based on grub2 2.02~beta3; as such, some
  patches require extra backporting effort of other pieces of the loader
  code down to releases that do not yet include 2.02~beta3 code.

  [Test Case]
  The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).

  Tests should include:
  - booting with Secure Boot enabled
  - booting with Secure Boot enabled, but shim validation disabled
  - booting with Secure Boot disabled, but still in EFI mode

  [Regression Potential]
  Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

References

[Bug 1696599] [NEW] backport/sync UEFI, Secure Boot support
From: Mathieu Trudel-Lapierre, 2017-06-07