[Bug 2029518] Re: Publish grub updates to security
Mark Esler
2029518 at bugs.launchpad.net
Thu Sep 7 00:44:39 UTC 2023
Copying these specific binaries from -updates to -security should be
safe.
To verify this I have installed Focal and Jammy using the original
install media to a laptop and VMs running secure boot. Software updates
are disabled during OS install. After install, I configured apt to only
use the -release and -security pocket and disabled APT recommends and
suggestions. Using this APT configuration I ran apt update and upgrade
to install the latest -security updates and rebooted. On these -security
updated systems, I then enabled the -updates pocket and apt installed
the binaries of the packages listed in this bug and rebooted,
successfully. This testing was attempted many times and I believe this
binary copy is safe.
The new grub may use features in a recent version of mokutil. A no-
change rebuild of mokutil was added to security proposed. The above test
passes without mokutil on both releases. Regardless, mokutil's will be
staged to publish in -security before the -updates binaries are copied.
The following is the output from a jammy system in the environment
described above installing the -updates packages:
ubuntu at sb-jammy-original-sansmokutil-amd64:~$ sudo apt install grub-efi-amd64 grub-efi-amd64-signed grub-efi-amd64-bin grub-efi-amd64-dbg shim shim-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
grub-efi-amd64-bin is already the newest version (2.06-2ubuntu14.1).
grub-efi-amd64-signed is already the newest version (1.187.3~22.04.1+2.06-2ubuntu14.1).
shim-signed is already the newest version (1.51.3+15.7-0ubuntu1).
The following packages will be REMOVED:
grub-gfxpayload-lists grub-pc
Tmd64 | grub-pc,he following NEW packages will be installed:
grub-efi-amd64 grub-efi-amd64-dbg shim
0 upgraded, 3 newly installed, 2 to remove and 251 not upgradud.
Need to get 3,562 kB of archives.
After this operation, 19.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 grub-efi-amd64 amd64 2.06-2ubuntu14.1 [47.1 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 shim amd64 15.7-0ubuntu1 [7,152 B]
Get:3 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 grub-efi-amd64-dbg amd64 2.06-2ubuntu14.1 [3,508 kB]
Fetched 3,562 kB in 0s (140 MB/s)
Preconfiguring packages ...
(Reading database ... 196968 files and directories currently installed.)
Removing grub-gfxpayload-lists (0.7) ...
dpkg: grub-pc: dependency problems, but removing anyway as you requested:
grub-efi-amd64-signed depends on grub-efi-amd64 | grub-pc; however:
Package grub-efi-amd64 is not installed.
Package grub-pc is to be removed.
Removing grub-pc (2.06-2ubuntu7.2) ...
Selecting previously unselected package grub-efi-amd64.
(Reading database ... 196946 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.06-2ubuntu14.1_amd64.deb ...
Unpacking grub-efi-amd64 (2.06-2ubuntu14.1) ...
Selecting previously unselected package shim.
Preparing to unpack .../shim_15.7-0ubuntu1_amd64.deb ...
Unpacking shim (15.7-0ubuntu1) ...
Selecting previously unselected package grub-efi-amd64-dbg.
Preparing to unpack .../grub-efi-amd64-dbg_2.06-2ubuntu14.1_amd64.deb ...
Unpacking grub-efi-amd64-dbg (2.06-2ubuntu14.1) ...
Setting up shim (15.7-0ubuntu1) ...
Setting up grub-efi-amd64-dbg (2.06-2ubuntu14.1) ...
Setting up grub-efi-amd64 (2.06-2ubuntu14.1) ...
Installing grub to /boot/efi.
Installing for x86_64-efi platform.
Installation finished. No error reported.
Sourcing file `/etc/default/grub'
Sourcing file `/etc/default/grub.d/init-select.cfg'
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-6.2.0-32-generic
Found initrd image: /boot/initrd.img-6.2.0-32-generic
Found linux image: /boot/vmlinuz-5.15.0-25-generic
Found initrd image: /boot/initrd.img-5.15.0-25-generic
Memtest86+ needs a 16-bit boot, that is not available on EFI, exiting
Warning: os-prober will not be executed to detect other bootable partitions.
Systems on them will not be added to the GRUB boot configuration.
Check GRUB_DISABLE_OS_PROBER documentation entry.
Adding boot menu entry for UEFI Firmware Settings ...
done
Processing triggers for man-db (2.10.2-1) ...
Processing triggers for shim-signed (1.51.3+15.7-0ubuntu1) ...
```
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2029518
Title:
Publish grub updates to security
Status in grub2-signed package in Ubuntu:
New
Status in grub2-unsigned package in Ubuntu:
New
Status in shim package in Ubuntu:
New
Status in shim-signed package in Ubuntu:
New
Bug description:
grub updates are built against security only (as can be checked in the
build log), published to proposed, updates to complete SRU process and
phasing, with intention to publish to security.
In theory this should be done, once phasing on these packages is
complete.
But I don't believe we have any automated process to detect that
today.
As brought up by Mark Esler, here is explicit promotion request:
$ rmadison grub2-signed | grep updates
grub2-signed | 1.187.3~20.04.1 | focal-updates | source
grub2-signed | 1.187.3~22.04.1 | jammy-updates | source
$ rmadison grub2-unsigned | grep updates
grub2-unsigned | 2.06-2ubuntu14.1 | focal-updates | source
grub2-unsigned | 2.06-2ubuntu14.1 | jammy-updates | source
$ rmadison shim | grep updates
shim | 15.7-0ubuntu1 | focal-updates | source, amd64, arm64
shim | 15.7-0ubuntu1 | jammy-updates | source, amd64, arm64
$ rmadison shim-signed | grep updates | grep source
shim-signed | 1.40.9 | focal-updates | source
shim-signed | 1.51.3 | jammy-updates | source
Please promote respective packages above to the respective security pocket.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2-signed/+bug/2029518/+subscriptions
More information about the foundations-bugs
mailing list