Bug#1051271: GRUB2 2.12~rc1-7 prevent machine to boot

Tue Sep 5 18:34:13 BST 2023

On Tue, Sep 05, 2023 at 12:26:56PM -0400, M. Zhou wrote:
> On Tue, 5 Sep 2023 18:11:55 +0200 "Miguel A. Vallejo"
> <ea4eoz at gmail.com> wrote:
> > M. Zhou wrote:
> > 
> > > But after that I noticed that the most important
> > > package grub-efi-amd64-signed:amd64 (1+2.06+13,
> > > 1+2.12~rc1+7) was not upgraded along with the other
> > > grub packages.
> > 
> > You are right. I revised apt log and grub-efi-amd64-signed was NOT
> > updated, in fact, the version I have installed now is 1+2.06+13, but
> > all other grub packages have  2.06-3~deb11u5.
> > 
> > Now, if I run apt update, and apt list --upgradable it shows:
> > 
> > grub-common/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06-
> 3~deb11u5]
> > grub-efi-amd64-bin/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06-
> 3~deb11u5]
> > grub-efi-amd64-signed/unstable 1+2.12~rc1+7 amd64 [upgradable from:
> 1+2.06+13]
> > grub-efi-amd64/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06-
> 3~deb11u5]
> > grub2-common/unstable 2.12~rc1-7 amd64 [upgradable from: 2.06-
> 3~deb11u5]
> > 
> > 
> > All of them with version 2.12~rc1-7
> > 
> > Is it safe to upgrade now? I'll wait a bit until I hear from the
> > package maintainers.
> 
> I am able to boot with 2.12~rc1-7 now. And my currrent status is
> 
> grub-common/unstable,now 2.12~rc1-7 amd64 [installed]
> grub-efi-amd64-bin/unstable,now 2.12~rc1-7 amd64 [installed,automatic]
> grub-efi-amd64-signed/unstable,now 1+2.12~rc1+7 amd64
> [installed,automatic]
> grub-efi-amd64/unstable,now 2.12~rc1-7 amd64 [installed,automatic]
> grub2-common/unstable,now 2.12~rc1-7 amd64 [installed,automatic]
> 
> I reinstalled grub using 2.12~rc1-7.
> But I still cannot guarantee it is safe to upgrade.
> 
> 
> I believe the issue is the missing versioned dependency, which
> allowed partial upgrade.
> 
> If you check the testing, you will find that
> 
>  grub-efi-amd64-signed/1+2.06+13 Depends: grub-common (>= 2.06-13)
> 
> Then, if we upgrade grub-common to 2.12~rc1-7, without
> upgrading grub-efi-amd64-signed itself, then the boot is broken.
> 
> TLDR: the boot is broken with the following partial upgrade:
> grub-common/2.12~rc1-7
> grub-efi-amd64-signed/2.06+13
> 
> A possible fix might be specifying
>  Depends: grub-common (>= 2.12~rc1-7)), grub-common (<= 2.13~)
> to prevent incompatible grub-common and grub-efi-amd64-signed
> from co-existing. Although it does not help this time.
> 

Thanks for confirming this, this makes sense, if you boot without
secure boot, the signed grub 2.06 could then try to upload
incompatible modules from 2.12~rc1 and crash.

The 2.12~rc1-8 and -9 uploads change this in two steps to avoid
this by making the signed package require a matching unsigned one
again, and by making the existing -bin package Breaks << 1+2.12~rc1
such that you cannot partially upgrade those with incompatible older
grubs.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en