** Description changed: - Development versions of snappy Ubuntu Core leverage grub's squashfs - support to load kernels and initramfs directly from the kernel snap - (which is a squashfs-format archive). This requires the loopback and - the squash4 grub modules to be loaded. + [SRU Justification] + Development versions of snappy Ubuntu Core leverage grub's squashfs support to load kernels and initramfs directly from the kernel snap (which is a squashfs-format archive). This requires the loopback and the squash4 grub modules to be loaded. Currently, neither of these modules is included in the signed EFI binaries, therefore this boot strategy is not compatible with SecureBoot. We should verify that the loopback and squash4 modules are suitable for inclusion in the signed binary, and include them. + + [Test case] + 1. Grab the snappy image from https://people.canonical.com/~mvo/all-snaps/amd64-all-snap.img.xz and uncompress it. + 2. Install grub-efi-amd64-signed from xenial-updates. + 3. Use kpartx to loop mount /dev/mapper/loopNp2. + 4. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed. + 5. Unmount the boot partition. + 6. Boot the image in a VM using UEFI firmware (not BIOS) + 7. Confirm that the image fails to boot with an error about the loopback command not found. + 8. Shut down the VM. + 9. Install grub-efi-amd64-signed from xenial-proposed. + 10. Mount the boot partition again. + 11. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed. + 12. Unmount the boot partition and remove the kpartx mapping. + 13. Boot the image in a VM again, using UEFI firmware. + 14. Confirm that the image boots successfully.
** Description changed: [SRU Justification] Development versions of snappy Ubuntu Core leverage grub's squashfs support to load kernels and initramfs directly from the kernel snap (which is a squashfs-format archive). This requires the loopback and the squash4 grub modules to be loaded. Currently, neither of these modules is included in the signed EFI binaries, therefore this boot strategy is not compatible with SecureBoot. We should verify that the loopback and squash4 modules are suitable for inclusion in the signed binary, and include them. [Test case] 1. Grab the snappy image from https://people.canonical.com/~mvo/all-snaps/amd64-all-snap.img.xz and uncompress it. 2. Install grub-efi-amd64-signed from xenial-updates. 3. Use kpartx to loop mount /dev/mapper/loopNp2. 4. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed. 5. Unmount the boot partition. 6. Boot the image in a VM using UEFI firmware (not BIOS) 7. Confirm that the image fails to boot with an error about the loopback command not found. 8. Shut down the VM. 9. Install grub-efi-amd64-signed from xenial-proposed. 10. Mount the boot partition again. 11. Replace boot/efi/BOOT/BOOTX64.EFI in the boot partition with /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed. 12. Unmount the boot partition and remove the kpartx mapping. 13. Boot the image in a VM again, using UEFI firmware. 14. Confirm that the image boots successfully. + + [Regression potential] + Minimal. This SRU adds two additional modules to the UEFI boot images, which add a new command and a new filesystem driver respectively. Users who do not have the 'loopback' command in their grub.cfg, and who do not have any squashfs filesystems as raw disks or partitions, should not see any behavior difference. The added modules slightly increase the size of the grub images, from ~1.1MiB to ~1.2MiB. This should not affect the usability of these bootloader images. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1604499 Title: include loopback and squash4 modules in EFI binary To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1604499/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
