Ubuntu
grub2-unsigned package

Publish grub updates to security

Bug #2029518 reported by Dimitri John Ledkov
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned
grub2-unsigned (Ubuntu)
Fix Released
Undecided
Unassigned
shim (Ubuntu)
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

grub updates are built against security only (as can be checked in the build log), published to proposed, updates to complete SRU process and phasing, with intention to publish to security.

In theory this should be done, once phasing on these packages is complete.

But I don't believe we have any automated process to detect that today.

As brought up by Mark Esler, here is explicit promotion request:

$ rmadison grub2-signed | grep updates
 grub2-signed | 1.187.3~20.04.1 | focal-updates | source
 grub2-signed | 1.187.3~22.04.1 | jammy-updates | source

$ rmadison grub2-unsigned | grep updates
 grub2-unsigned | 2.06-2ubuntu14.1 | focal-updates | source
 grub2-unsigned | 2.06-2ubuntu14.1 | jammy-updates | source

$ rmadison shim | grep updates
 shim | 15.7-0ubuntu1 | focal-updates | source, amd64, arm64
 shim | 15.7-0ubuntu1 | jammy-updates | source, amd64, arm64

$ rmadison shim-signed | grep updates | grep source
 shim-signed | 1.40.9 | focal-updates | source
 shim-signed | 1.51.3 | jammy-updates | source

Please promote respective packages above to the respective security pocket.

Dimitri John Ledkov (xnox)
information type: Public → Public Security
Revision history for this message
Mark Esler (eslerm) wrote :
Download full text (4.4 KiB)

Copying these specific binaries from -updates to -security should be safe.

To verify this I have installed Focal and Jammy using the original install media to a laptop and VMs running secure boot. Software updates are disabled during OS install. After install, I configured apt to only use the -release and -security pocket and disabled APT recommends and suggestions. Using this APT configuration I ran apt update and upgrade to install the latest -security updates and rebooted. On these -security updated systems, I then enabled the -updates pocket and apt installed the binaries of the packages listed in this bug and rebooted, successfully. This testing was attempted many times and I believe this binary copy is safe.

The new grub may use features in a recent version of mokutil. A no-change rebuild of mokutil was added to security proposed. The above test passes without mokutil on both releases. Regardless, mokutil's will be staged to publish in -security before the -updates binaries are copied.

The following is the output from a jammy system in the environment described above installing the -updates packages:

ubuntu@sb-jammy-original-sansmokutil-amd64:~$ sudo apt install grub-efi-amd64 grub-efi-amd64-signed grub-efi-amd64-bin grub-efi-amd64-dbg shim shim-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
grub-efi-amd64-bin is already the newest version (2.06-2ubuntu14.1).
grub-efi-amd64-signed is already the newest version (1.187.3~22.04.1+2.06-2ubuntu14.1).
shim-signed is already the newest version (1.51.3+15.7-0ubuntu1).
The following packages will be REMOVED:
  grub-gfxpayload-lists grub-pc
Tmd64 | grub-pc,he following NEW packages will be installed:
  grub-efi-amd64 grub-efi-amd64-dbg shim
0 upgraded, 3 newly installed, 2 to remove and 251 not upgradud.
Need to get 3,562 kB of archives.
After this operation, 19.1 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 grub-efi-amd64 amd64 2.06-2ubuntu14.1 [47.1 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 shim amd64 15.7-0ubuntu1 [7,152 B]
Get:3 http://us.archive.ubuntu.com/ubuntu jammy-updates/main amd64 grub-efi-amd64-dbg amd64 2.06-2ubuntu14.1 [3,508 kB]
Fetched 3,562 kB in 0s (140 MB/s)
Preconfiguring packages ...
(Reading database ... 196968 files and directories currently installed.)
Removing grub-gfxpayload-lists (0.7) ...
dpkg: grub-pc: dependency problems, but removing anyway as you requested:
 grub-efi-amd64-signed depends on grub-efi-amd64 | grub-pc; however:
  Package grub-efi-amd64 is not installed.
  Package grub-pc is to be removed.

Removing grub-pc (2.06-2ubuntu7.2) ...
Selecting previously unselected package grub-efi-amd64.
(Reading database ... 196946 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.06-2ubuntu14.1_amd64.deb ...
Unpacking grub-efi-amd64 (2.06-2ubuntu14.1) ...
Selecting previously unselected package shim.
Preparing to unp...

Read more...

Mark Esler (eslerm)
Changed in grub2-signed (Ubuntu):
status: New → Fix Released
Changed in grub2-unsigned (Ubuntu):
status: New → Fix Released
Changed in shim (Ubuntu):
status: New → Fix Released
Changed in shim-signed (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.