Publish grub updates to security
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
grub2-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
grub2-unsigned (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
shim (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
grub updates are built against security only (as can be checked in the build log), published to proposed, updates to complete SRU process and phasing, with intention to publish to security.
In theory this should be done, once phasing on these packages is complete.
But I don't believe we have any automated process to detect that today.
As brought up by Mark Esler, here is explicit promotion request:
$ rmadison grub2-signed | grep updates
grub2-signed | 1.187.3~20.04.1 | focal-updates | source
grub2-signed | 1.187.3~22.04.1 | jammy-updates | source
$ rmadison grub2-unsigned | grep updates
grub2-unsigned | 2.06-2ubuntu14.1 | focal-updates | source
grub2-unsigned | 2.06-2ubuntu14.1 | jammy-updates | source
$ rmadison shim | grep updates
shim | 15.7-0ubuntu1 | focal-updates | source, amd64, arm64
shim | 15.7-0ubuntu1 | jammy-updates | source, amd64, arm64
$ rmadison shim-signed | grep updates | grep source
shim-signed | 1.40.9 | focal-updates | source
shim-signed | 1.51.3 | jammy-updates | source
Please promote respective packages above to the respective security pocket.
information type: | Public → Public Security |
Changed in grub2-signed (Ubuntu): | |
status: | New → Fix Released |
Changed in grub2-unsigned (Ubuntu): | |
status: | New → Fix Released |
Changed in shim (Ubuntu): | |
status: | New → Fix Released |
Changed in shim-signed (Ubuntu): | |
status: | New → Fix Released |
Copying these specific binaries from -updates to -security should be safe.
To verify this I have installed Focal and Jammy using the original install media to a laptop and VMs running secure boot. Software updates are disabled during OS install. After install, I configured apt to only use the -release and -security pocket and disabled APT recommends and suggestions. Using this APT configuration I ran apt update and upgrade to install the latest -security updates and rebooted. On these -security updated systems, I then enabled the -updates pocket and apt installed the binaries of the packages listed in this bug and rebooted, successfully. This testing was attempted many times and I believe this binary copy is safe.
The new grub may use features in a recent version of mokutil. A no-change rebuild of mokutil was added to security proposed. The above test passes without mokutil on both releases. Regardless, mokutil's will be staged to publish in -security before the -updates binaries are copied.
The following is the output from a jammy system in the environment described above installing the -updates packages:
ubuntu@ sb-jammy- original- sansmokutil- amd64:~ $ sudo apt install grub-efi-amd64 grub-efi- amd64-signed grub-efi-amd64-bin grub-efi-amd64-dbg shim shim-signed amd64-signed is already the newest version (1.187. 3~22.04. 1+2.06- 2ubuntu14. 1). 15.7-0ubuntu1) . gfxpayload- lists grub-pc us.archive. ubuntu. com/ubuntu jammy-updates/main amd64 grub-efi-amd64 amd64 2.06-2ubuntu14.1 [47.1 kB] us.archive. ubuntu. com/ubuntu jammy-updates/main amd64 shim amd64 15.7-0ubuntu1 [7,152 B] us.archive. ubuntu. com/ubuntu jammy-updates/main amd64 grub-efi-amd64-dbg amd64 2.06-2ubuntu14.1 [3,508 kB] -lists (0.7) ... amd64-signed depends on grub-efi-amd64 | grub-pc; however:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
grub-efi-amd64-bin is already the newest version (2.06-2ubuntu14.1).
grub-efi-
shim-signed is already the newest version (1.51.3+
The following packages will be REMOVED:
grub-
Tmd64 | grub-pc,he following NEW packages will be installed:
grub-efi-amd64 grub-efi-amd64-dbg shim
0 upgraded, 3 newly installed, 2 to remove and 251 not upgradud.
Need to get 3,562 kB of archives.
After this operation, 19.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://
Get:2 http://
Get:3 http://
Fetched 3,562 kB in 0s (140 MB/s)
Preconfiguring packages ...
(Reading database ... 196968 files and directories currently installed.)
Removing grub-gfxpayload
dpkg: grub-pc: dependency problems, but removing anyway as you requested:
grub-efi-
Package grub-efi-amd64 is not installed.
Package grub-pc is to be removed.
Removing grub-pc (2.06-2ubuntu7.2) ... efi-amd64_ 2.06-2ubuntu14. 1_amd64. deb ...
Selecting previously unselected package grub-efi-amd64.
(Reading database ... 196946 files and directories currently installed.)
Preparing to unpack .../grub-
Unpacking grub-efi-amd64 (2.06-2ubuntu14.1) ...
Selecting previously unselected package shim.
Preparing to unp...