Public bug reported:
[Impact]
Verification of the previous SRU, bug #1928674, exposed that we have a
regression on xenial/arm64 cloud images because they boot from the removable
media path, which is not updated by the maintainer scripts in those images; and
because we have never supported the monolithic signed EFI executable on
xenial/arm64, there is an ABI mismatch between the updated contents of
/boot/grub and the not-updated contents of \EFI\boot\bootaa64.efi.
The fact that \EFI\boot is not updated on xenial cloud images is ALSO an
issue on amd64 - it doesn't lead to a boot failure there because we do
support secureboot on xenial/amd64, so the bootloader doesn't depend on
loading modules from /boot/grub; however, \EFI\boot not being uploaded
means that the systems still do not benefit from the updated grub, AND
are subject to boot failures in the future due to the fact that the old
shim has been revoked by Microsoft and these revocations may propagate
to the cloud instance's revocation database in nvram, one way or
another.
[Test Case]
- Boot an arm64 Ubuntu image in AWS
- Enable -proposed
- Upgrade the grub-efi-amd64 package
- Reboot
- Verify that the system comes up
- Boot an amd64 Ubuntu image in AWS
- rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- Enabled -proposed
- Upgrade the grub-efi-amd64-signed package
- Reboot
- Verify that the system comes up
- rm /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- touch /boot/efi/EFI/BOOT/BOOTX64.EFI /boot/efi/EFI/BOOT/grubx64.efi
- Upgrade the shim-signed package
- Reboot
- Verify that the system comes up
[Where problems could occur]
Because there were no provisions in the cloud images at the time they were
built for updates to \EFI\boot, the only practical way to fix this for existing
images (which is where the upgrade bug is an issue) is by unconditionally
installing to the removable media path on all systems as part of the upgrade.
This means that non-cloud systems, which do not normally boot Ubuntu via
\EFI\boot, will have the contents of \EFI\boot replaced when this was not
previously the case (and contrary to the debconf setting). In newer Ubuntu
releases, we install to \EFI\boot unconditionally; but this is a behavior
change in a stable series. If a user has something other than Ubuntu grub+shim
installed to \EFI\boot, this may be an unexpected behavior change from an SRU.
** Affects: grub2-signed (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: grub2-unsigned (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: grub2-signed (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: grub2-unsigned (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: grub2-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: grub2-unsigned (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: grub2-signed (Ubuntu)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Also affects: grub2-signed (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: grub2-unsigned (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: grub2-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: grub2-unsigned (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: grub2-signed (Ubuntu)
Status: New => Invalid
** Changed in: grub2-unsigned (Ubuntu)
Status: New => Invalid
** Changed in: shim-signed (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1930742
Title:
cloud images in xenial do not get their boot path updated because we
don't call grub-install --force-extra-removable
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/1930742/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
