Ubuntu
grub2 package

grub is missing secure boot support for compressed kernels (our arm64 kernels)

Bug #1954683 reported by Julian Andres Klode on 2021-12-13

This bug affects 2 people

	Status	Importance	Assigned to
grub2 (Ubuntu)	Fix Released	Undecided	Unassigned
Bionic	Fix Released	Undecided	Unassigned
Focal	Fix Released	Undecided	Unassigned
Impish	Won't Fix	Undecided	Unassigned
Jammy	Fix Released	Undecided	Unassigned

Bug Description

[Impact]
arm64 systems currently cannot have their grub updated when booted in secure boot mode, despite booting fine, as the postinst runs grub-check-signatures and grub-check-signatures does not handle the compressed kernels used on arm64.

It seems the cloud images only ship unsigned grub at the moment, but there may be other images shipping signed boot stack that customers would expect to work (and then fail during a grub update) and we can also consider this hardware enablement of arm64 secure boot.

[Attack plan]

1. Modify grub-check-signatures to optionally decompress kernels before passing them to sbverify
2. Modify grub to either
a) verify after decompress
b) disable shim_lock verifier on arm64, and only use the rhboot

We do not know if this is a long-term solution, we really should migrate back to kernels that are proper EFI executables themselves such that we can use standard EFI functions to run them as well.

[Test plan]
= focal =
1. Grab an arm64 cloud image
2. Boot in qemu, WITHOUT SECURE BOOT (AAVMF_VARS.fd): Install grub-efi-arm64-signed shim-signed if not already installed
2b) On bionic, install linux-virtual-hwe-18.04 and reboot (the LTS kernel in bionic is not signed on arm64)
3. Reboot in secure mode (using AAVMF_VARS.ms.fd)
4. See that the system boots
5. apt install --reinstall grub-efi-arm64-signed, observe failure message about unsigned kernels
6. apt install ?installed?source-package((^grub2$)/<series>-proposed (aka grub2-common grub-common)
7. observe success when reinstalling grub-efi-arm64-signed.
8. Install another signed kernel, observe success (*)

shim/grub may need to be launched manually in qemu as MS variables place the EFI shell first in the boot order, select the boot entry for the disk from the interrupt menu, or do FS0:, followed by \EFI\BOOT\BOOTAA64.EFI in the EFI shell to launch it.

(*) Surprisingly maybe, kernel upgrades are not affected as they do not call grub-check-signatures, so installing an unsigned kernel still succeeds, however, this is not a regression from this patch.

[Where problems could occur]
We only modify the grub-check-signatures script in the SRU to add decompression. This could change the behavior of the script, and introduce new bugs that cause false positives or false negatives.

[Other info: Impact; 2.06-only, not relevant for SRU]
In 2.06, the verifiers framework runs before any decompression, causing the kernels to fail verification, as it tries to verify the compressed data. In grub 2.04, we manually verified the file after we had opened it (hence after all filters).

See original description

Tags:

Related branches

~juliank/grub/+git/bionic:master

Ready for review for merging into ~ubuntu-core-dev/grub/+git/bionic:master

Steve Langasek: Pending requested 2023-02-01

~ubuntu-core-dev/grub/+git/ubuntu:os-prober-auto

Superseded for merging into ~ubuntu-core-dev/grub/+git/ubuntu:master

Ubuntu Core Development Team: Pending requested 2022-02-16

Diff: 25480 lines (+18809/-711) (has conflicts)

166 files modified

ChangeLog (+5278/-0)
INSTALL (+31/-21)
Makefile.am (+1/-1)
Makefile.in (+270/-54)
Makefile.util.am (+16/-7)
Makefile.util.def (+15/-40)
NEWS (+14/-0)
README (+6/-0)
acinclude.m4 (+36/-2)
aclocal.m4 (+1/-0)
autogen.sh (+1/-1)
conf/Makefile.common (+2/-0)
conf/Makefile.extra-dist (+21/-0)
config-util.h.in (+6/-0)
config.h.in (+0/-2)
configure (+192/-39)
configure.ac (+99/-104)
debian/.git-dpm (+3/-0)
debian/NEWS (+8/-0)
debian/README.source (+3/-0)
debian/apport/source_grub2.py (+14/-5)
debian/build-efi-images (+27/-11)
debian/changelog (+1253/-1)
debian/control (+40/-24)
debian/dirs.in (+1/-0)
debian/grub-check-signatures (+21/-0)
debian/grub-common.service (+13/-0)
debian/grub-efi-amd64-bin.maintscript.in (+1/-0)
debian/grub-efi-arm64-bin.maintscript.in (+1/-0)
debian/grub-extras/915resolution/.gitignore (+3/-0)
debian/grub-extras/915resolution/915resolution.c (+29/-8)
debian/grub-extras/disabled/gpxe/.gitignore (+3/-0)
debian/grub-extras/disabled/zfs/.gitignore (+5/-0)
debian/grub-extras/lua/.gitignore (+3/-0)
debian/grub-extras/ntldr-img/.gitignore (+3/-0)
debian/grub.d/05_debian_theme (+2/-2)
debian/legacy/upgrade-from-grub-legacy (+3/-1)
debian/patches/0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+37/-0)
debian/patches/0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch (+7/-0)
debian/patches/0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch (+36/-0)
debian/patches/0099-chainloader-Avoid-a-double-free-when-validation-fail.patch (+14/-0)
debian/patches/0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch (+7/-0)
debian/patches/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch (+47/-0)
debian/patches/at_keyboard-module-init.patch (+4/-1)
debian/patches/bash-completion-drop-have-checks.patch (+5/-2)
debian/patches/blacklist-1440x900x32.patch (+4/-1)
debian/patches/bootp-new-net_bootp6-command.patch (+22/-17)
debian/patches/bootp-process-dhcpack-http-boot.patch (+20/-15)
debian/patches/cherrypick-efi-grub_efi_close_protocol.patch (+79/-0)
debian/patches/cherrypick-efinet-correct-closing-snp-protocol.patch (+106/-0)
debian/patches/core-in-fs.patch (+3/-4)
debian/patches/debug_verifiers.patch (+27/-0)
debian/patches/default-grub-d.patch (+34/-17)
debian/patches/dejavu-font-path.patch (+22/-0)
debian/patches/disable-floppies.patch (+1/-2)
debian/patches/dpkg-version-comparison.patch (+3/-4)
debian/patches/efi-variable-storage-minimise-writes.patch (+60/-11)
debian/patches/efinet-set-dns-from-uefi-proto.patch (+13/-8)
debian/patches/efinet-set-network-from-uefi-devpath.patch (+8/-5)
debian/patches/efinet-uefi-ipv6-pxe-support.patch (+8/-5)
debian/patches/gettext-quiet.patch (+4/-1)
debian/patches/gfxpayload-dynamic.patch (+23/-7)
debian/patches/gfxpayload-keep-default.patch (+9/-0)
debian/patches/grub-install-pvxen-paths.patch (+14/-3)
debian/patches/grub-legacy-0-based-partitions.patch (+1/-2)
debian/patches/grub.cfg-400.patch (+2/-3)
debian/patches/ieee1275-clear-reset.patch (+4/-1)
debian/patches/ignore-grub_func_test-failures.patch (+4/-1)
debian/patches/insmod-xzio-and-lzopio-on-xen.patch (+7/-0)
debian/patches/install-efi-adjust-distributor.patch (+33/-0)
debian/patches/install-efi-fallback.patch (+5/-2)
debian/patches/install-efi-ubuntu-flavours.patch (+3/-0)
debian/patches/install-locale-langpack.patch (+10/-7)
debian/patches/install-powerpc-machtypes.patch (+18/-11)
debian/patches/install-stage2-confusion.patch (+9/-6)
debian/patches/maybe-quiet.patch (+30/-21)
debian/patches/minilzo-2.10.patch (+2538/-0)
debian/patches/mkconfig-loopback.patch (+11/-4)
debian/patches/mkconfig-mid-upgrade.patch (+3/-0)
debian/patches/mkconfig-nonexistent-loopback.patch (+11/-8)
debian/patches/mkconfig-other-inits.patch (+14/-3)
debian/patches/mkconfig-recovery-title.patch (+17/-10)
debian/patches/mkconfig-signed-kernel.patch (+9/-0)
debian/patches/mkconfig-ubuntu-distributor.patch (+7/-0)
debian/patches/mkconfig-ubuntu-recovery.patch (+18/-5)
debian/patches/mkimage-fix-section-sizes.patch (+108/-0)
debian/patches/mkrescue-efi-modules.patch (+6/-3)
debian/patches/net-read-bracketed-ipv6-addr.patch (+20/-16)
debian/patches/no-devicetree-if-secure-boot.patch (+8/-5)
debian/patches/no-insmod-on-sb.patch (+8/-58)
debian/patches/olpc-prefix-hack.patch (+1/-2)
debian/patches/pc-verifiers-module.patch (+166/-0)
debian/patches/ppc64el-disable-vsx.patch (+4/-1)
debian/patches/probe-fusionio.patch (+8/-5)
debian/patches/quick-boot-lvm.patch (+6/-3)
debian/patches/quick-boot.patch (+34/-20)
debian/patches/restore-mkdevicemap.patch (+26/-13)
debian/patches/rhboot-f34-dont-use-int-for-efi-status.patch (+7/-0)
debian/patches/rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch (+26/-0)
debian/patches/rhboot-f34-make-exit-take-a-return-code.patch (+68/-0)
debian/patches/rhboot-f34-make-pmtimer-tsc-calibration-fast.patch (+11/-0)
debian/patches/series (+69/-4)
debian/patches/skip-grub_cmd_set_date.patch (+4/-1)
debian/patches/sleep-shift.patch (+3/-0)
debian/patches/suse-AUDIT-0-http-boot-tracker-bug.patch (+68/-0)
debian/patches/suse-add-support-for-UEFI-network-protocols.patch (+4941/-0)
debian/patches/suse-grub.texi-add-net_bootp6-document.patch (+49/-0)
debian/patches/tests-ahci-update-qemu-device-name.patch (+33/-0)
debian/patches/tpm-unknown-error-non-fatal.patch (+30/-0)
debian/patches/ubuntu-add-devicetree-command-support.patch (+7/-0)
debian/patches/ubuntu-add-initrd-less-boot-fallback.patch (+44/-0)
debian/patches/ubuntu-add-initrd-less-boot-messages.patch (+24/-0)
debian/patches/ubuntu-boot-from-multipath-dependent-symlink.patch (+7/-0)
debian/patches/ubuntu-dont-verify-loopback-images.patch (+11/-0)
debian/patches/ubuntu-efi-allow-loopmount-chainload.patch (+27/-0)
debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch (+10/-0)
debian/patches/ubuntu-fix-reproducible-squashfs-test.patch (+7/-0)
debian/patches/ubuntu-flavour-order.patch (+17/-0)
debian/patches/ubuntu-fuse3.patch (+108/-0)
debian/patches/ubuntu-grub-install-extra-removable.patch (+37/-0)
debian/patches/ubuntu-install-signed.patch (+41/-0)
debian/patches/ubuntu-linuxefi-arm64-set-base-addr.patch (+18/-0)
debian/patches/ubuntu-linuxefi-arm64.patch (+35/-0)
debian/patches/ubuntu-linuxefi.patch (+432/-0)
debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch (+10/-0)
debian/patches/ubuntu-os-prober-auto.patch (+51/-0)
debian/patches/ubuntu-recovery-dis_ucode_ldr.patch (+11/-0)
debian/patches/ubuntu-resilient-boot-boot-order.patch (+45/-0)
debian/patches/ubuntu-resilient-boot-ignore-alternative-esps.patch (+11/-0)
debian/patches/ubuntu-shorter-version-info.patch (+18/-0)
debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch (+10/-0)
debian/patches/ubuntu-speed-zsys-history.patch (+11/-0)
debian/patches/ubuntu-support-initrd-less-boot.patch (+27/-0)
debian/patches/ubuntu-temp-keep-auto-nvram.patch (+7/-0)
debian/patches/ubuntu-verifiers-last.patch (+59/-0)
debian/patches/ubuntu-zfs-enhance-support.patch (+25/-0)
debian/patches/ubuntu-zfs-gfxpayload-dynamic.patch (+95/-0)
debian/patches/ubuntu-zfs-gfxpayload-keep-default.patch (+38/-0)
debian/patches/ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch (+32/-0)
debian/patches/ubuntu-zfs-maybe-quiet.patch (+72/-0)
debian/patches/ubuntu-zfs-mkconfig-recovery-title.patch (+49/-0)
debian/patches/ubuntu-zfs-mkconfig-signed-kernel.patch (+51/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-distributor.patch (+36/-0)
debian/patches/ubuntu-zfs-mkconfig-ubuntu-recovery.patch (+66/-0)
debian/patches/ubuntu-zfs-quick-boot.patch (+50/-0)
debian/patches/ubuntu-zfs-vt-handoff.patch (+77/-0)
debian/patches/uefi-firmware-setup.patch (+3/-0)
debian/patches/uefi-secure-boot-cryptomount.patch (+11/-0)
debian/patches/vsnprintf-upper-case-hex.patch (+3/-0)
debian/patches/vt-handoff.patch (+9/-2)
debian/patches/wubi-no-windows.patch (+6/-3)
debian/patches/xen-no-xsm-policy-in-non-xsm-options.patch (+34/-0)
debian/patches/xfs-fix-v4-superblock.patch (+121/-0)
debian/patches/zpool-full-device-name.patch (+4/-1)
debian/patches/zstd-require-8-byte-buffer.patch (+63/-0)
debian/postinst.in (+86/-6)
debian/postrm.in (+2/-2)
debian/rules (+102/-5)
debian/sbat.debian.csv.in (+3/-0)
debian/sbat.ubuntu.csv.in (+3/-0)
debian/signing-template/control.in (+1/-1)
dev/null (+0/-1)
docs/Makefile.in (+2/-2)
docs/grub-dev.info (+113/-45)
docs/grub-dev.texi (+65/-1)
docs/grub.info (+2/-1)

~ubuntu-core-dev/grub/+git/ubuntu:os-prober-auto

Ready for review for merging into ~ubuntu-core-dev/grub/+git/ubuntu:master

Ubuntu Core Development Team: Pending requested 2022-02-16

Diff: 25480 lines (+18809/-711) (has conflicts)

166 files modified

Julian Andres Klode (juliank) on 2021-12-13

no longer affects:	grub2 (Ubuntu)
tags:	added: regression-proposed

Brian Murray (brian-murray) on 2021-12-14

tags:

added: rls-jj-incoming

Matthieu Clemenceau (mclemenceau) on 2021-12-16

tags:

added: fr-1931

Brian Murray (brian-murray) on 2021-12-16

tags:

removed: rls-jj-incoming

Julian Andres Klode (juliank) on 2021-12-17

summary:

- grub is missing secure boot support for compressed kernels
+ grub is missing secure boot support for compressed kernels (our arm64
+ kernels)

Julian Andres Klode (juliank) on 2022-01-10

description:	updated
Changed in grub2-unsigned (Ubuntu Jammy):
status:	New → Fix Committed
affects:	grub2-unsigned (Ubuntu Focal) → grub2 (Ubuntu Focal)

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-01-11 (last edit on 2022-01-11):

Uploaded focal.

Changed in grub2 (Ubuntu Focal):
status:	New → In Progress
Changed in grub2 (Ubuntu Impish):
status:	New → Won't Fix

Julian Andres Klode (juliank) on 2022-01-11

Changed in grub2 (Ubuntu Impish):
status:	Won't Fix → Triaged

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-01-12:

This bug was fixed in the package grub2 - 2.06-2ubuntu4

---------------
grub2 (2.06-2ubuntu4) jammy; urgency=medium

* UBUNTU: Move verifiers after decompressors (LP: #1954683)
* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)

-- Julian Andres Klode <email address hidden> Mon, 10 Jan 2022 14:52:04 +0100

Changed in grub2 (Ubuntu Jammy):
status:	Fix Committed → Fix Released

Revision history for this message

Robie Basak (racb) wrote on 2022-01-19:

> Compressed kernels as we have on arm64 cause grub to fail in two ways...

OK, but you haven't specified how this impacts the user. Please justify the SRU on the basis of what impact this issue has *on the user*. Otherwise I can't review it for appropriateness under our SRU policy. For example: it sounds like what you are describing had never worked on arm64, so are you enabling the entire architecture with grub2? Or something else? What's the failing user story here?

Revision history for this message

Robie Basak (racb) wrote on 2022-01-19:

Or is it that you're looking to enable secure boot on this architecture? In that case, please make that clear, and provide a Test Plan that includes testing that complete user story.

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-01-19:

@Robie The impact is clearly specified, it fails to upgrade grub. The user impact is failing to upgrade grub. Apart from this, existing arm64 images work fine under secure boot; we have always tested secure boot, but never tested *upgrading* grub.

Julian Andres Klode (juliank) on 2022-01-26

description:	updated
description:	updated

Revision history for this message

Robie Basak (racb) wrote on 2022-01-26:

I've discussed this further with Julian and he will re-reproduce the issue locally to answer some of my questions, and then we'll work on the User Impact and Test Plan from there.

Changed in grub2 (Ubuntu Focal):
status:	In Progress → Incomplete

Julian Andres Klode (juliank) on 2022-03-15

Changed in grub2 (Ubuntu Impish):
status:	Triaged → Won't Fix

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-03-15:

I have updated the Impact and Test Plan to provide an end-to-end testing of secure boot on arm64.

description:	updated
Changed in grub2 (Ubuntu Focal):
status:	Incomplete → In Progress

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2022-03-22: Please test proposed package

Hello Julian, or anyone else affected,

Accepted grub2 into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.04-1ubuntu26.15 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Focal):
status:	In Progress → Fix Committed
tags:	added: verification-needed verification-needed-focal

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2022-03-22:

Hey Julian! This looks good now so I'll accept it to focal-proposed. That being said, why is the impish task set to 'Won't Fix'? Is this something that does not happen on impish?

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-03-22:

#10

I just don't see anyone launching arm64 secure boot products based on impish in its few remaining months, especially with jammy just a month away, so no need to spend resources on SRUs there and force updates to everyone for this.

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-03-22:

#11

Instructions updated as I accidentally wrote to upgrade grub-efi-arm64-signed, but duh, it's grub{2,}-common you want to upgrade from proposed.

description:	updated
description:	updated

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-03-22:

#12

Verification:

4. observed that system booted in secure mode after installing shim-signed, checked mokutil --sb-state to verify
5. observed failure in reinstalling grub-efi-arm64-signed w/ old src:grub2
6. upgraded grub{2,}-common to proposed ubuntu26.15 from ubuntu26.13
7. observed success in reinstalling grub-efi-arm64-signed
8. observed success installing linux-image-5.4.0-106-generic (*)
9. system still boots (*)

I ran out of space but managed to fully install the kernel, just not the modules, so rebooted into the normal kernel, but it installed, so I'm happy.

tags:

added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal

Revision history for this message

Robie Basak (racb) wrote on 2022-03-30:

#13

Does grub2-signed need rebuilding? I don't think I fully understand the interaction between the two packages, so I'm being extra cautious before releasing for fear of breaking the world.

Revision history for this message

Julian Andres Klode (juliank) wrote on 2022-03-30:

#14

It does not show up on excuses as broken, so I'd say no. grub2-signed is built from grub2-unsigned in all releases, not grub2.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-04-04:

#15

This bug was fixed in the package grub2 - 2.04-1ubuntu26.15

---------------
grub2 (2.04-1ubuntu26.15) focal; urgency=medium

[ Mauricio Faria de Oliveira ]
* Call hwmatch only on the grub-pc platform (LP: #1840560)

grub2 (2.04-1ubuntu26.14) focal; urgency=medium

* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)

-- Julian Andres Klode <email address hidden> Tue, 11 Jan 2022 16:09:48 +0100

Changed in grub2 (Ubuntu Focal):
status:	Fix Committed → Fix Released

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2022-04-04: Update Released

#16

The verification of the Stable Release Update for grub2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-02-01:

#17

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2 (Ubuntu Bionic):
status:	New → Confirmed

Revision history for this message

Julian Andres Klode (juliank) wrote on 2023-02-01:

#18

This also seems to be an issue in bionic, see bug 2004437 (duplicate).

Changed in grub2 (Ubuntu Bionic):
status:	Confirmed → Triaged

Revision history for this message

Steve Langasek (vorlon) wrote on 2023-03-04: Please test proposed package

#19

Hello Julian, or anyone else affected,

Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.26 in a few hours, and then in the -proposed repository.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in grub2 (Ubuntu Bionic):
status:	Triaged → Fix Committed
tags:	added: verification-needed verification-needed-bionic removed: verification-done

dann frazier (dannf) on 2023-03-05

description:

updated

Revision history for this message

dann frazier (dannf) wrote on 2023-03-05:

#20

bionic verified w/ 2.02-2ubuntu8.26

description:	updated
tags:	added: verification-done verification-done-bionic removed: verification-needed verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-05-30:

#21

This bug was fixed in the package grub2 - 2.02-2ubuntu8.26

---------------
grub2 (2.02-2ubuntu8.26) bionic; urgency=medium

* Have grub-common depend on efibootmgr on amd64, arm64, i386 (LP: #1936857)
* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)

-- Julian Andres Klode <email address hidden> Wed, 01 Feb 2023 18:49:01 +0100

Changed in grub2 (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #2004437

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntugrub2 package

grub is missing secure boot support for compressed kernels (our arm64 kernels)

Bug Description

Related branches

Duplicates of this bug

Other bug subscribers

Remote bug watches

Ubuntu
grub2 package