The recent GRUB2 updates that patched some serious security vulnerabilities also caused boot failure issues for some users, so fixes for these regressions have started appearing for some distros, including Debian and Ubuntu.
Last week, I was reporting on the BootHole vulnerability (and some other seven flaws) found in the GRUB2 bootloader, which is used by almost all GNU/Linux distributions out there. The issues opened up systems using Secure Boot to attacks, allowing local attackers to bypass UEFI Secure Boot restrictions and execute arbitrary code.
Due to a highly coordinated effort between the security researchers who discovered the vulnerability and Linux OS maintainers, most GNU/Linux distributions were able to provide patches for their users. However, for some, these patches broke the Secure Boot implementation and left people with unbootable systems.
The Debian Project was among the first to publish updated GRUB2 packages at the end of July, just one day after the BootHole patches were published, for its latest Debian GNU/Linux 10 “Buster” operating system series, urging users to update their systems to grub2 version 2.02+dfsg1-20+deb10u2 in order to address the boot regression.
Now Canonical released today new versions of the GRUB2 packages in all of their supported Ubuntu releases, including Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS and Ubuntu 14.04 ESM, to address the boot failure issues.
Users must update their GRUB2 packages to version 2.04-1ubuntu26.2 on Ubuntu 20.04 LTS, 2.02-2ubuntu8.17 on Ubuntu 18.04 LTS, 2.02~beta2-36ubuntu3.27 on Ubuntu 16.04 LTS, and 2.02~beta2-9ubuntu1.21 on Ubuntu 14.04 ESM.
A normal system update running the
sudo apt update && sudo apt full-upgrade command will do the trick. After installing the new GRUB2 versions, users with BIOS systems should verify if the bootloader is installed correctly and if it has a correct understanding of their boot device location.
“Unfortunately, the update introduced regressions for some BIOS systems (either pre-UEFI or UEFI configured in Legacy mode), preventing them from successfully booting. This update addresses the issue. We apologize for the inconvenience,” said Canonical in the security advisory.
According to Canonical, to fully mitigating these new GRUB2 vulnerabilities, users will have not only to install the updated GRUB2 packages, but also to apply a UEFI Revocation List (dbx) to system firmware, which will be provided to all Ubuntu users at a later time. For more details on the required mitigation steps, please check out this support article.
Now that Debian and Ubuntu have released fixes for these boot regressions, I believe more GNU/Linux distribution based on them will adopt them too. Also, most probably other distros affected by these issues will also publish updated GRUB2 versions to fix any boot failures, so make sure you’re updating your systems on a regular basis.
Last updated 11 months ago