Univention Bugzilla – Bug 51984
Transition from UCS signed package to Debian signed packages
Last modified: 2021-05-25 16:00:34 CEST
shim grub kernel as all available signed by Debian. Remove the UCS integration and also switch our meta packages to the Debian meta packages, e.g. univention-kernel-image→linux-image-amd64
For UCS-5 we switch to Debian-10-Buster, which already provides signed - SHIM - GRUB2 - Linux Kernel packages, which is done by Debian. With UCS-4 we were doing it ourselves, which requires extra work every time a new Linux Kernel or GRUB2 package is released. We even ship a very old SHIM version, which might be revoked by Microsoft any moment because of Bug #51748. Last weekend Debian released its 10.8 point release, which includes a new GRUB2 package: | 135722 | 2.02+dfsg1-20 | 2019-12-14 03:59:27.81525 | | 153597 | 2.02+dfsg1-20+deb10u2 | 2020-08-03 09:44:46.9941 | | 155718 | 2.02+dfsg1-20+deb10u3 | 2021-02-08 08:28:48.829257 | We already ported to out patches from UCS-4 to UCS-5: grub2/5.0-0-0-ucs/ ├── 2.02+dfsg1-20 │ ├── 25_replace_gnu_linux_with_corporate_server.quilt │ ├── 51-menu-color.patch │ ├── 51-menu-color.quilt │ └── 60-Sort-old-UCS-kernel-after-Debian-kernel.patch ├── 2.02+dfsg1-20+deb10u2 │ ├── 25_replace_gnu_linux_with_corporate_server.quilt │ ├── 51-menu-color.patch │ ├── 51-menu-color.quilt │ └── 60-Sort-old-UCS-kernel-after-Debian-kernel.patch └── 2.02+dfsg1-20+deb10u3 ├── 25_replace_gnu_linux_with_corporate_server.quilt ├── 51-menu-color.patch ├── 51-menu-color.quilt └── 60-Sort-old-UCS-kernel-after-Debian-kernel.patch But they MUST NOT be applied: As noted at Bug #51488 we currently cannot modify GRUB, as this breaks the signatures generated by Debian and prevents our DVD from being built.
State ===== UCS-5 already uses all packages from Debian unchanged. Installation with SB enabled required two manual steps. Issues ====== Boot from ISO ------------- Booting from the 5.0-0-rc0.iso did not show a GRUB menu, but dumps you to the command line. Using the following manual steps continues the boot the D-I: grub> normal Boot installed system ---------------------- The then installed system is SB enabled. There too the following manual step is needed: grub> source /efi/univention/grub.cfg This can be "fixed" by doing "cp -r /boot/efi/EFI/{univention,debian}" manually after a successful boot. Analysis ======== The name "debian" is hard-coded into GRUB before signing, so we cannot change it: grub/debian/build-efi-images ... 34 efi_vendor="${8:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" ... 199 # CD boot image 203 »·······-p /boot/grub \ ... 207 # Normal disk boot image 209 »·······-d "$grub_core" -p "/EFI/$efi_vendor" \ ... 213 # Normal network boot image ... 221 # Special network boot image for d-i to use. Just the same as the grub.cfg -------- There are 3 "grub.cfg" involved in the ISO boot: 1. grub> cat /EFI/debian/grub.cfg ### Generated by debian-installer/installer/build/util/efi-image:50-56 search --file --set=root /.disk/info set prefix=($root)/boot/grub source $prefix/x86_64-efi/grub.cfg 2. grub> cat /boot/grub/x86_64-efi/grub.cfg ### Generated by debian-installer/installer/build/util/efi-image:58-63 echo Loading step 2 insmod part_acorn,amiga,apple,bsd,dfly,dvh,gpt,msdos,plan,sun,sunpc → error: Sercure Boot forbids loading module from (hd1)/boot/grub/x86_64-efi/part_*.mod. ... ##MISSING## source /boot/grub/grub.cfg 3. grub> cat /boot/grub/grub.cfg ### Generated by debian-installer/installer/build/util/grub-gencfg echo Loading step 3 if loadfont $prefix/font.pf2 ; then ... fi ... grub> normal Debian UCS ISO comparison ------------------------- ```bash DISO=/mnt/omar/vmwares/iso-images/linux/debian/buster/debian-10.8.0-amd64-netinst.iso UISO=/mnt/omar/vmwares/iso-images/ucs/5.0-0/RC/ucs_5.0-0-rc0-amd64.iso for p in /EFI/debian/grub.cfg /boot/grub/x86_64-efi/grub.cfg /boot/grub/grub.cfg do diff -u <(exec isoinfo -i "$DISO" -R -x "$p") <(exec isoinfo -i "$UISO" -R -x "$p") done ``` 1. UCS is missing the `source /boot/grub/grub.cfg` in 2. 2. UCS misses several `set gfxpayload=keep` in 3.: Bug #52798 comment 7 Fix === - [x] Even thou it looks like "/boot/grub/grub.cfg" is executed directly, its actually "/EFI/debian/grub.cfg". The intermediate "/boot/grub/x86_64-efi/grub.cfg" was missing the "source /boot/grub/grub.cfg", so the final file containing the menu was never executed. "normal" does this by sourcing "$prefix/grub.cfg", which (by accident) is exactly that file. Remove "debian-cd/5.0-0-0-ucs/3.1.25/0002-Bug-36410-fixed-double-entries-in-UEFI-mode.patch", which breaks this. r19339 | Bug #51984 dvd: Continue grub.cfg chain loading Package: debian-cd Version: 3.1.25A~5.0.0.202103261654 OK: isotests/ucs_5.0-0-20210326-165649-dvd-amd64.iso TODO ==== Booting the installed system still requires a manual step as mentioned above. - [ ] Switch name from "univention" to "debian" or find a way to teach SHIM/GRUB/... to use "univention" instead of "debian". As discussed with @steuwer this will happen post-RELEASE, so removing /myself as ASSIGNEE for now. Additional data from my tests ============================= As an alternative you can load the Linux kernel and its InitRamFS manually: linuxefi /install.amd/vmlinuz preseed/file=/cdrom/preseed.cfg vga=788 quiet dpms=false --- initrdefi /installl.amd64/initrd.gz boot Hints ===== * https://www.gnu.org/software/grub/manual/grub/grub.html * set pager=1 * set debug=all
We tested UCS5 Beta and RC on KVM VMs with UEFI. They do not boot as lined out in comment 2. We fixed the boot procedure for the installed product by creating the directory "/boot/efi/EFI/debian" and the file "/boot/efi/EFI/debian/grub.cfg" with the contents configfile /efi/univention/grub.cfg This file will be loaded end executed as hardcoded in the debian grub binaries. Because during the boot the "root" variable is already set accordingly, this should(tm) work no matter what the disk layout or what disks are installed. Perhaps it is also possible to fix the installer images, if they don't work yet. This might also fix #52677. I don't know if you want to create a separate package for that, modify a package, or just create this file at a specific step during the installation procedure. My suggestion is to modify univention-grub; either do a postinst script or you can hijack the grub menu generation infrastructure under /etc/grub.d and drop a script there. The script could check for the existence of EFI/debian, as to not meddle with existing installations and then drop in the replacement file. Perhaps the check should also test the presence of the efi executables, and / or should check if the grub.cfg file is the above mentioned patched version. That way you can revert this path when it is not necessary anymore.
While we switched the UCS installer to install "linux-image-amd64" instead of "univention-kernel-image", we forgot to make sure the it also happens on updated: [5.0-0] 2985c38833 fix[server]: Depend on linux-image-amd64 base/univention-server/debian/changelog | 6 ++++++ base/univention-server/debian/control | 1 + 2 files changed, 7 insertions(+) [5.0-0] 0e4f6c0ff3 fix[server]: Depend on linux-image-amd64 2 base/univention-server/debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-server Version: 15.0.3-6A~5.0.0.202104161622 (In reply to Sebastian Mohr from comment #3) > We fixed the boot procedure for the installed product by creating the > directory "/boot/efi/EFI/debian" and the file > "/boot/efi/EFI/debian/grub.cfg" with the contents >> configfile /efi/univention/grub.cfg Thank you for the hint; I have included it. [5.0-0] 12486c8ce4 fix[grub]: Close gap between Debian SHIM and Univention GRUB2 base/univention-grub/debian/changelog | 6 ++++++ base/univention-grub/debian/univention-grub.postinst | 10 ++++++++++ 2 files changed, 16 insertions(+) [5.0-0] 278749edd5 fix[grub]: Always create /boot/efi/EFI/debian/grub.cfg base/univention-grub/debian/univention-grub.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Package: univention-grub Version: 13.0.0-6A~5.0.0.202104171657 Also had to fix Bug #53117 to get the upgrade working. OK: Upgrade 4.4-7 -> 4.4-8 -> 5.0-0 OK: New installation ucs_5.0-0-20210417-170414-dvd-amd64.iso
* OK: univentoin-kernel-image nicht mehr im git * OK: UCS Integration entfernt und auf Debian-Metapaket umgeschwenkt univention-kernel-image → linux-image-amd64 * OK: Patches aus SVN entfernt → nicht mehr anwenden! * OK: r19339 | Bug #51984 dvd: Continue grub.cfg chain loading * OK: [5.0-0] 2985c38833 fix[server]: Depend on linux-image-amd64 * OK: [5.0-0] 0e4f6c0ff3 fix[server]: Depend on linux-image-amd64 2 * OK: [5.0-0] 12486c8ce4 fix[grub]: Close gap between Debian SHIM and Univention GRUB2 * ~OK: [5.0-0] 278749edd5 fix[grub]: Always create /boot/efi/EFI/debian/grub.cfg * OK: Fertige Installation prüfen → /boot/EFI/* + /boot/* + grub.cfg + usw. * Check list ** OK: Boot mit UEFI in Proxmox ** OK: Boot mit UEFI+SB in KVM ** OK: Boot mit CD + UEFI+SB auf Hardware (UEFI-Testsystem) ** OK: Boot mit HDD + UEFI+SB auf Hardware (UEFI-Testsystem) ** ~OK: UEFI-Update → Update itself was ok → Bug 53178 → EFI-GRUB is replaced automatically by BIOS-GRUB after successful update to UCS 5 ??: changes in manual (UCS vs. Debian) ??: release notes (UCS vs. Debian)
[5.0-0] 36ed4115d0 Bug #51984: add hints about Debian and UCS on UEFI systems DONE: changes in manual (UCS vs. Debian) DONE: release notes (UCS vs. Debian)
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".