[Bug 1075181] Re: Backport UEFI Secure Boot support for Ubuntu 12.04.2

Launchpad Bug Tracker 1075181 at bugs.launchpad.net
Thu Jan 3 18:46:21 UTC 2013 

This bug was fixed in the package grub2 - 1.99-21ubuntu3.7

---------------
grub2 (1.99-21ubuntu3.7) precise-proposed; urgency=low

  * Fix backport mistake that caused grub.cfg not to be created in $efidir
    if UEFI Secure Boot is enabled.
  * When installing to removable media with UEFI Secure Boot, install
    gcdx64.efi.signed rather than grubx64.efi.signed.
  * Make gcdx64.efi.signed fall back to sourcing $prefix/grub.cfg if
    $prefix/x86_64-efi/grub.cfg is missing, as is likely when using
    'grub-install --removable'.

grub2 (1.99-21ubuntu3.6) precise-proposed; urgency=low

  * Fix backport mistake in patch to install signed images if UEFI Secure
    Boot is enabled.

grub2 (1.99-21ubuntu3.5) precise-proposed; urgency=low

  * Backport several changes to support Secure Boot patches.
  * Add Secure Boot patches from Ubuntu 12.10 and Fedora (LP: #1075181):
    - Don't permit loading modules on UEFI secure boot.
    - Add efifwsetup module to reboot into firmware setup menu.
    - Add "linuxefi" loader which avoids ExitBootServices.
    - Only build linuxefi on amd64.
    - Make linuxefi refuse to boot without shim.
    - Make the linux module call linuxefi when necessary, simplifying
      configuration.
    - If secure boot is enabled and the kernel is signed, linux will call
      linuxefi to hand over to it without calling ExitBootServices.
    - Otherwise, linux will fall through to previous code, call
      ExitBootServices itself, and boot the kernel normally.
    - Change linuxefi to return GRUB_ERR_ACCESS_DENIED rather than
      GRUB_ERR_INVALID_COMMAND in the case of an invalid signature, to make
      it easier to implement different handling of unsigned kernels in
      future if necessary.
    - Generate configuration for signed UEFI kernels if available.
    - Install signed images if UEFI Secure Boot is enabled.
    - Output a menu entry for firmware setup on UEFI FastBoot systems.
    - Add some extra debugging to signed/unsigned kernel logic.
    - On amd64, build two images for signing: one with prefix /EFI/BOOT for
      use on removable media, and one with prefix /EFI/ubuntu (and with the
      lvm, mdraid09, and mdraid1x modules added) for use on fixed disks.
 -- Colin Watson <cjwatson at ubuntu.com>   Mon, 10 Dec 2012 11:31:09 +0000

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to livecd-rootfs in Ubuntu.
https://bugs.launchpad.net/bugs/1075181

Title:
  Backport UEFI Secure Boot support for Ubuntu 12.04.2

Status in Ubuntu CD image build software:
  Fix Released
Status in “base-installer” package in Ubuntu:
  Fix Released
Status in “debian-installer” package in Ubuntu:
  Fix Released
Status in “grub-installer” package in Ubuntu:
  Fix Released
Status in “grub2” package in Ubuntu:
  Fix Released
Status in “grub2-signed” package in Ubuntu:
  Fix Released
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-meta-lts-quantal” package in Ubuntu:
  Fix Released
Status in “linux-signed-lts-quantal” package in Ubuntu:
  Invalid
Status in “livecd-rootfs” package in Ubuntu:
  Fix Released
Status in “sbsigntool” package in Ubuntu:
  Fix Released
Status in “shim” package in Ubuntu:
  Fix Released
Status in “shim-signed” package in Ubuntu:
  Fix Released
Status in “ubiquity” package in Ubuntu:
  Fix Released
Status in “ubuntu-defaults-builder” package in Ubuntu:
  Fix Released
Status in “base-installer” source package in Precise:
  Fix Released
Status in “debian-installer” source package in Precise:
  Fix Released
Status in “grub-installer” source package in Precise:
  Fix Released
Status in “grub2” source package in Precise:
  Fix Released
Status in “grub2-signed” source package in Precise:
  Fix Released
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-signed-lts-quantal” source package in Precise:
  Fix Committed
Status in “livecd-rootfs” source package in Precise:
  Fix Released
Status in “sbsigntool” source package in Precise:
  Fix Released
Status in “shim” source package in Precise:
  Fix Committed
Status in “shim-signed” source package in Precise:
  Fix Committed
Status in “ubiquity” source package in Precise:
  Fix Released
Status in “ubuntu-defaults-builder” source package in Precise:
  Fix Released

Bug description:
  [Impact]

  Since systems are beginning to come out with UEFI Secure Boot enabled
  by default if they haven't already, we need to backport this support
  from 12.10 to 12.04.2.  This is a complex set of enablement patches
  across a number of packages.  Most of them will be fairly
  straightforward backports, but there are a few known warts:

   * The grub2 support was built on 2.00, and depends on first backporting a number of other patches (mostly Unicode handling changes and UEFI variable support) to 1.99.
   * 12.04.2 will have an alternate install image, which was removed from 12.10.  Installer support here should be mostly the same as for the server image, but we have stricter space constraints and may need to adjust the way the signed kernel is delivered to deal with this.  Andy Whitcroft and I have a plan for this which we'll implement between us in raring.

  [Test Case]

  The desktop, server, and alternate install images should all boot and
  install on an SB-enabled system.  I would recommend testing
  installations from both a CD and a USB stick.  After each
  installation, use debsums to check that kernel checksums are correct.

  [Regression Potential]

  Check that non-SB installations of all these images still work.  For
  this, it is sufficient to test with either a CD or a USB stick, but
  not necessarily both.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1075181/+subscriptions

More information about the foundations-bugs mailing list