← Back to team overview

kernel-packages team mailing list archive

[Bug 1544809] Re: kernel security update fails if a 2nd Ubuntu on same machine

 

Reassigning to grub2, which seems more appropriate at a quick glance.
I'll look to reproduce this tomorrow.

** Package changed: linux (Ubuntu) => grub2 (Ubuntu)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1544809

Title:
  kernel security update fails if a 2nd Ubuntu on same machine

Status in grub2 package in Ubuntu:
  Incomplete

Bug description:
  There is a security issue when multiple instances of Ubuntu (or other
  distributions) are installed on the same hardware.  In my case I have
  14.04 LTS and 16.04 alpha (plus some others).

  After installing 14.04 LTS as the main system on an UEFI machine there
  is a file, </boot/efi/EFI/ubuntu/grub.cfg> that effectively points to
  whichever installation has control of the boot process and which
  instance of GRUB2 gets run.  If a second install, for example, a test
  of 16.04 alpha, is made then that file is over written.

  Rebooting 14.04 LTS via 16.04 alpha's GRUB2 or other means and
  installing a standard kernel security update does NOT make the new
  kernel available on subsequent reboots because even though 14.04 LTS's
  GRUB2 has been updated it is never run.  16.04 alpha's GRUB2 (which is
  ignorant of 14.04 LTS's update) is run because that is what
  </boot/efi/EFI/ubuntu/grub.cfg> points to.

  There are many ways to fix this problem.

  1)
  Make all installations maintain a link to the most recent kernel.  Ubuntu does this, there are links in the root directory current and old of kernel and intrd.  Make all boot loaders look for those links.  If Ubuntu configured GRUB2 to look for /vmlinuz it could find the current kernel even if the kernel had been upgraded after GRUB2 was updated.  Ubuntu configured GRUB2 does not do this.  Of course it is impossible to get all software from all sources to "play nice", but you could make multiple installations of Ubuntu co-operate with each other.  

  2)
  Check where </boot/efi/EFI/ubuntu/grub.cfg> points to and "take it back", if necessary.  
  Modified </etc/kernel/postinst.d/zz-update-grub> attached.  

  3)
  Use an EFI style boot loader on EFI machines.  There is an Ubuntu repository for rEFInd, which has worked well for me.  This has the added advantage that if anyone makes a test installation like 16.04 alpha and then deletes it (not an unreasonable thing to do with an alpha release) then the machine does not become unbootable - because </boot/efi/EFI/ubuntu/grub.cfg> would be pointing to an non-existent instance of GRUB2.  BTW rEFInd and GRUB2 can be made to co-exist in various way, if you want.  

  END)

  I can not see how to make an attachment to this bug report, so I will paste my zz-update-grub here as text, and ubuntu-bug did not work for me.
  <cut-n-paste from terminal>
  $ ubuntu-bug linux
  usage: whoopsie-upload-all [-h] [-t TIMEOUT]
  whoopsie-upload-all: error: unrecognized arguments: linux
  <\cut-n-paste from terminal>

  <cut-n-paste of my /etc/kernel/postinst.d/zz-update-grub>
  #! /bin/sh
  set -e

  which update-grub >/dev/null 2>&1 || exit 0

  if type running-in-container >/dev/null 2>&1 && \
     running-in-container >/dev/null; then
          exit 0
  fi

  set -- $DEB_MAINT_PARAMS
  mode="${1#\'}"
  mode="${mode%\'}"
  case $0:$mode in
      # Only run on postinst configure and postrm remove, to avoid wasting
      # time by calling update-grub multiple times on upgrade and removal.
      # Also run if we have no DEB_MAINT_PARAMS, in order to work with old
      # kernel packages.
      */postinst.d/*:|*/postinst.d/*:configure|*/postrm.d/*:|*/postrm.d/*:remove)
          CFG1='/boot/efi/EFI/ubuntu/grub.cfg'
          CFG2='/boot/grub/grub.cfg'
          if [ -e $CFG1 ]; then
                  # This is an EFI system.
                  # Does that config file point to this installation?
                  # Get UUID of installation that that file points to
                  UUID=$(grep "\<[[:xdigit:]-]\{36\}\>" $CFG1 \
                          | cut --delimiter=' ' --fields=2)
                  # Is file format stable?
                  # Could use "sed" rather than "cut" to find UUID.
                  # UUID=$(sed -n -e 's/^.*\(\<[[:xdigit:]-]\{36\}\>\).*$/\1/p' $CFG1)

                  # Get device name for this installation
                  # Spaces are needed, in case grub2 is on the root partition.
                  DEVICE=$(mount \
                          | grep " $(df --output=target $CFG2 \
                          | tail --lines=1) " \
                          | cut --delimiter=' ' --fields=1)

                  # Do they both have the same line in blkid?
                  if [    "$(blkid | grep $DEVICE)" \
                          != \
                          "$(blkid | grep $UUID)" ] ;
                  then
                          # They do NOT match.  
                          # That EFI entry does not point to this installation.  
                          # Configuring grub on this installation is pointless.  
                          # Options; 
                          #       hope that the other installation(s) is well configured 
                          #       (Ubuntu 16.04 alpha is not) AND/OR GETS RUN, or
                          #       reINSTALL (not reconfigure) grub2 on this installation.
                          exec grub-install
                  fi
                  # Fall through, that grubx64.efi file WILL find this installation.  
                  # Reconfigure only.
          fi
          # Fall through, not evan an EFI system, reconfigure only.
          if [ -e $CFG2 ]; then
                  exec update-grub
          fi
          #Fall through, is grub not installed on this system?
          ;;
  esac

  exit 0
  ~
  ~        
  :set nolist                                                                                                                                  1,1           All
  <\cut-n-paste of my /etc/kernel/postinst.d/zz-update-grub>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1544809/+subscriptions