[Bug 1696599] Re: backport/sync UEFI, Secure Boot support

Chris Halse Rogers chris at cooperteam.net
Wed Jun 21 00:43:25 UTC 2017 

Just to be clear, what is the purpose of this backport? As you know,
“upstream has done more work” isn't usually justification for an SRU :)

Presumably this is expected to fix bugs and/or support new systems?
Could you give a brief run-down of what this fixes/newly supports?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1696599

Title:
  backport/sync UEFI, Secure Boot support

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in grub2 source package in Yakkety:
  New
Status in grub2-signed source package in Yakkety:
  New
Status in grub2 source package in Zesty:
  New
Status in grub2-signed source package in Zesty:
  New
Status in grub2 source package in Artful:
  Fix Released
Status in grub2-signed source package in Artful:
  Fix Released

Bug description:
  [Impact]
  Since the implementation of UEFI Secure Boot in Ubuntu, there has been a large number of changes to the EFI patchset, handled "upstream" at https://github.com/vathpela/grub2-fedora/tree/sb. This is a complex set of enablement patches across a number of packages. Most of them will be fairly straightforward backports, but there are a few known warts:

   * The included patches are based on grub2 2.02~beta3; as such, some
  patches require extra backporting effort of other pieces of the loader
  code down to releases that do not yet include 2.02~beta3 code.

  [Test Case]
  The desktop, server, and alternate install images should all boot and install on an SB-enabled system. I would recommend testing installations from both a CD and a USB stick. After each installation, validate that Secure Boot is enabled by checking /sys/firmware/efi/efivars/SecureBoot-*, as well as /sys/firmware/efi/efivars/Mok* variables (for the cases where shim validation may be disabled).

  Tests should include:
  - booting with Secure Boot enabled
  - booting with Secure Boot enabled, but shim validation disabled
  - booting with Secure Boot disabled, but still in EFI mode

  [Regression Potential]
  Check that non-SB installations of all these images still work. For this, it is sufficient to test with either a CD or a USB stick, but not necessarily both.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1696599/+subscriptions

More information about the foundations-bugs mailing list