[Bug 1604499] Re: include loopback and squash4 modules in EFI binary

Adam Conrad adconrad at 0c3.net
Fri Jul 22 23:48:10 UTC 2016 

Hello Steve, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.2 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: grub2 (Ubuntu Xenial)
       Status: New => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1604499

Title:
  include loopback and squash4 modules in EFI binary

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  New
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  New

Bug description:
  [SRU Justification]
  Development versions of snappy Ubuntu Core leverage grub's squashfs support to load kernels and initramfs directly from the kernel snap (which is a squashfs-format archive).  This requires the loopback and the squash4 grub modules to be loaded.

  Currently, neither of these modules is included in the signed EFI
  binaries, therefore this boot strategy is not compatible with
  SecureBoot.

  We should verify that the loopback and squash4 modules are suitable
  for inclusion in the signed binary, and include them.

  [Test case]
  1. Grab the snappy image from https://people.canonical.com/~mvo/all-snaps/amd64-all-snap.img.xz and uncompress it.
  2. Install grub-efi-amd64-signed from xenial-updates.
  3. Use kpartx to loop mount /dev/mapper/loopNp2.
  4. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed.
  5. Unmount the boot partition.
  6. Boot the image in a VM using UEFI firmware (not BIOS)
  7. Confirm that the image fails to boot with an error about the loopback command not found.
  8. Shut down the VM.
  9. Install grub-efi-amd64-signed from xenial-proposed.
  10. Mount the boot partition again.
  11. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed.
  12. Unmount the boot partition and remove the kpartx mapping.
  13. Boot the image in a VM again, using UEFI firmware.
  14. Confirm that the image boots successfully.

  [Regression potential]
  Minimal.  This SRU adds two additional modules to the UEFI boot images, which add a new command and a new filesystem driver respectively.  Users who do not have the 'loopback' command in their grub.cfg, and who do not have any squashfs filesystems as raw disks or partitions, should not see any behavior difference.  The added modules slightly increase the size of the grub images, from ~1.1MiB to ~1.2MiB.  This should not affect the usability of these bootloader images.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1604499/+subscriptions

More information about the foundations-bugs mailing list