[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
Thanks Blake! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
I have verified that the proposed package in cosmic works as expected. I performed the following steps with MAAS. 0) Provide kernel and initrd on an HTTP server on the network. 1) Boot from the network in UEFI mode using grub's grubnet.efi binary. 2) Provided the following config: linuxefi http:/// initrdefi http:/// boot Grub successfully loaded the kernel and initrd from the HTTP server and booted the kernel with attached initrd. ** Tags removed: verification-needed verification-needed-cosmic ** Tags added: verification-done verification-done-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
I have verified that the proposed package in bionic works as expected. I performed the following steps with MAAS. 0) Provide kernel and initrd on an HTTP server on the network. 1) Boot from the network in UEFI mode using grub's grubnet.efi binary. 2) Provided the following config: linuxefi http:/// initrdefi http:/// boot Grub successfully loaded the kernel and initrd from the HTTP server and booted the kernel with attached initrd. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
Hello Lee, or anyone else affected, Accepted grub2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02-2ubuntu8.13 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Also affects: grub2-signed (Ubuntu) Importance: Undecided Status: New ** Changed in: grub2-signed (Ubuntu) Status: New => Fix Released ** Changed in: grub2 (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed-bionic ** Changed in: grub2-signed (Ubuntu Bionic) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
Hello Lee, or anyone else affected, Accepted grub2 into cosmic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02+dfsg1-5ubuntu8.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-cosmic to verification-done-cosmic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-cosmic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: grub2 (Ubuntu Cosmic) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-cosmic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Description changed: - {Description] + [Impact] + Required for MAAS to use HTTP transport to provide files for grub2. + + [Test case] + 0) Provide kernel and initrd on an HTTP server on the network. + 1) Boot from the network in UEFI mode using grub's grubnet.efi binary. + 2) Run the following commands: + + linuxefi http:/// + initrdefi http:/// + boot + + Verify that the system is able to correctly retrieve the kernel and + initrd files from the HTTP server, and that the system boots normally. + + [Regression potential] + None. This makes an additional module available for use in the grubnet.efi pre-built and signed UEFI binaries for grub; it does not otherwise affect other pre-built UEFI images, does not change grub code, and is not used unless explicitly configured to do so by a custom grub configuration file (not in use by default). + + --- + + [Description] Grub supports booting files over the network via both FTP/HTTP. However, the Ubuntu package is not built with the grub HTTP modules. Enabling this would allow grub to obtain files over HTTP (such as initrd/kernel). [Rationale] Enabling HTTP support for Grub would allow MAAS to use such functionality to boot files over the network with HTTP. This allows for improvement performance (vs using ftp) and for better security. MAAS would use this to download kernel and initrd over HTTP instead of FTP at first for performance improvements. [Original bug report] GRUB has builtin support for HTTP via http.mod. This module is not being included in the prebuild grubnetx64.efi. All that should be required is adding the http module. I also suggest building grubnetx64.efi using GRUB modules to include lvm and RAID support this will allow grubnetx64.efi to local boot in all situations. --- build-efi-images 2018-08-17 10:50:35.124311043 -0700 +++ build-efi-images.new 2018-08-17 10:50:59.270661126 -0700 @@ -148,8 +148,9 @@ raid5rec raid6rec " -NET_MODULES="$CD_MODULES +NET_MODULES="$GRUB_MODULES tftp + http " "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
This bug was fixed in the package grub2 - 2.02+dfsg1-12ubuntu2 --- grub2 (2.02+dfsg1-12ubuntu2) disco; urgency=medium * debian/patches/efi-console-set-text-mode-as-needed.patch: in EFI console, only set text-mode when we're actually going to need it. * debian/build-efi-images: add http module to NET_MODULES. (LP: #1787630) -- Mathieu Trudel-Lapierre Mon, 11 Mar 2019 17:48:49 -0400 ** Changed in: grub2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Changed in: grub2 (Ubuntu) Status: New => In Progress ** Changed in: grub2 (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Changed in: grub2 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
http.c generally looks okay - errors are usually checked and handled, care is taken to ensure buffers are not overrun etc, sizes are handled well etc. From what I can see it appears to also appropriately check input to ensure it doesn't blindly trust it as well. Also the upstream history of this file looks pretty stable too http://git.savannah.gnu.org/gitweb/?p=grub.git;a=history;f=grub- core/net/http.c So nothing in particular stands out as a red-flag security wise that I can see. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
I've had another look; it still looks sane to me; but given that it's network code we're importing in the bootloader, it feels like a potential source of vulnerabilities and would be better to have it checked by the Security team. I've assigned it to ~ubuntu-security... Please have a look at grub-code/net/http.c; which seems to be the only real source file involved (from grub2 source) into providing the module. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Changed in: grub2 (Ubuntu) Assignee: Mathieu Trudel-Lapierre (cyphermox) => Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Tags added: id-5c13fa834458794246aeeb2c -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
Thank you for the FFe! It's really late for a feature freeze exception though, especially that we're now in Final Freeze. This means we shouldn't risk with anything 'risky' that isn't directly a release blocker for cosmic - which doesn't seem to be the case here. So for now, both me and Laney think that this should go rather as an SRU instead. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
I have reviewed the HTTP code in grub, it looks sane .. no obvious issues that would break Secure Boot validation. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
Needs to be New for the release team to approve (process is to set to Triaged) ** Changed in: grub2 (Ubuntu) Status: Triaged => New ** Changed in: grub2 (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Description changed: + {Description] + Grub supports booting files over the network via both FTP/HTTP. However, the Ubuntu package is not built with the grub HTTP modules. Enabling this would allow grub to obtain files over HTTP (such as initrd/kernel). + + [Rationale] + Enabling HTTP support for Grub would allow MAAS to use such functionality to boot files over the network with HTTP. This allows for improvement performance (vs using ftp) and for better security. + + [Original bug report] + GRUB has builtin support for HTTP via http.mod. This module is not being included in the prebuild grubnetx64.efi. All that should be required is adding the http module. I also suggest building grubnetx64.efi using GRUB modules to include lvm and RAID support this will allow grubnetx64.efi to local boot in all situations. --- build-efi-images 2018-08-17 10:50:35.124311043 -0700 +++ build-efi-images.new 2018-08-17 10:50:59.270661126 -0700 @@ -148,8 +148,9 @@ raid5rec raid6rec " -NET_MODULES="$CD_MODULES +NET_MODULES="$GRUB_MODULES tftp + http " "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ ** Description changed: {Description] Grub supports booting files over the network via both FTP/HTTP. However, the Ubuntu package is not built with the grub HTTP modules. Enabling this would allow grub to obtain files over HTTP (such as initrd/kernel). [Rationale] Enabling HTTP support for Grub would allow MAAS to use such functionality to boot files over the network with HTTP. This allows for improvement performance (vs using ftp) and for better security. + + MAAS would use this to download kernel and initrd over HTTP instead of + FTP at first for performance improvements. [Original bug report] GRUB has builtin support for HTTP via http.mod. This module is not being included in the prebuild grubnetx64.efi. All that should be required is adding the http module. I also suggest building grubnetx64.efi using GRUB modules to include lvm and RAID support this will allow grubnetx64.efi to local boot in all situations. --- build-efi-images 2018-08-17 10:50:35.124311043 -0700 +++ build-efi-images.new 2018-08-17 10:50:59.270661126 -0700 @@ -148,8 +148,9 @@ raid5rec raid6rec " -NET_MODULES="$CD_MODULES +NET_MODULES="$GRUB_MODULES tftp + http " "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1787630] Re: [FFe] Include HTTP support in pre-build GRUB module
** Summary changed: - Include HTTP support in pre-build GRUB module + [FFe] Include HTTP support in pre-build GRUB module -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1787630 Title: [FFe] Include HTTP support in pre-build GRUB module To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1787630/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs