[Bug 1923635] [NEW] ubuntu must support upgrading images with grub in removable path

Dimitri John Ledkov 1923635 at bugs.launchpad.net
Tue Apr 13 16:07:32 UTC 2021 

*** This bug is a security vulnerability ***

Public security bug reported:

ubuntu must support upgrading images with grub in removable path

Currently whilst we install shim into removable path, we never upgrade
grubx64.efi in the removable path.

This leads to inconsistent behavior, where upgraded shim will boot
grubx64.efi from /boot/grubx64.efi which might lack sbat sections and
thus will not boot.

Either we need to support upgrade grubx64.efi in /boot/*.efi, or remove
it whenever we install new shim into /boot/bootx64.efi.

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shim (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Public to Public Security

** Also affects: shim-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: shim (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1923635

Title:
  ubuntu must support upgrading images with grub in removable path

Status in grub2 package in Ubuntu:
  New
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  New

Bug description:
  ubuntu must support upgrading images with grub in removable path

  Currently whilst we install shim into removable path, we never upgrade
  grubx64.efi in the removable path.

  This leads to inconsistent behavior, where upgraded shim will boot
  grubx64.efi from /boot/grubx64.efi which might lack sbat sections and
  thus will not boot.

  Either we need to support upgrade grubx64.efi in /boot/*.efi, or
  remove it whenever we install new shim into /boot/bootx64.efi.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1923635/+subscriptions

More information about the foundations-bugs mailing list