Ubuntu engineers are debating tactics to scale back the selection of options provide within the signed model of GRUB, the boot loader used on techniques with Protected Boot enabled.
Canonical engineer Julian Klode proposes losing reinforce for /boot on btrfs, HFS+, XFS and ZFS filesystems, along GRUB’s JPEG and PNG symbol parsers, forward of Ubuntu 26.10.
Apple partition desk reinforce, LVM quantity dealing with, all tool RAID excluding RAID 1 and, extra controversially, LUKS-encrypted /boot walls also are at the slicing block.
Many of those options are mentioned to be ‘inherited via Debian, however by no means examined in Ubuntu’.
“The timing this is an important”, Klode says, including that “via appearing the adjustments immediately after an LTS, we will be able to stay affected customers on an LTS free up with reinforce for 10 years, reasonably than an intervening time free up with 9 months of reinforce”.
The emphasis on ‘affected’ is mine, because it’s a very powerful level: simplest those that use Protected Boot or put in Ubuntu with a ‘complicated’ boot setup no longer equipped via the OS installer can be blocked from upgrading to Ubuntu 26.10.
Safety is the primary motivator
GRUB (GRand Unified Bootloader) is the black display screen with white monospaced textual content you spot whilst you get started up a pc that runs Linux (and maximum Linux distributions use GRUB). It allows you to choose an working machine, chained bootloader or different characteristic you wish to have to make use of…
Which is the issue.
GRUB runs earlier than Linux does, so lacks the protections integrated in Linux working techniques. A worm in any part GRUB has, despite the fact that Ubuntu doesn’t use it, may just probably be exploited via an attacker – e.g., CVE-2024-45774, a vulnerability in GRUB’s JPEG parser.
However is the drama and concern round this proposal legitimate?
The bulk of people that set up Ubuntu accomplish that the use of the solid OOTB choices provide within the OS installer. In case you put in Ubuntu with complete disk encryption (FDE) on ext4, your setup is not likely to be affected.
Canonical engineer Máté Kukri has clarified this, pointing out that the distro is “no longer putting off any more or less FDE reinforce […] by any means”.
However in the event you manually created a LUKS-encrypted /boot, positioned it on a ZFS or btrfs filesystem, or configured a non-RAID-1 tool RAID (as some skilled Ubuntu customers select to do), this proposal would go away you not able to improve to Ubuntu 26.10.
Ubuntu Technical Board member Thomas Ward issues out that the distro’s server installer units up LVM via default, and that LUKS encryption on Ubuntu lately calls for LVM. Some authentic machine configurations may well be stuck out via the similar restrictions.
Klode’s case for putting off LUKS from /boot (that it gives “safety via obscurity, however no longer precise safety”) has drawn warmth from customers, whilst the desire for different removals has been wondered (btrfs and XFS haven’t any GRUB CVEs, however squashfs, staying put, has).
Proposals
Safety is a noble goal, and measured, affordable comments will form how this proposal strikes ahead within the coming months. Some customers are involved, however no longer all of Canonical’s engineers are satisfied via the reason, soliciting for additional explanation.
It’s unclear if blocking off upgrades from 26.04 LTS to 26.10 for complicated setups will create a lot of an have an effect on. Ubuntu 28.04 LTS might be the discharge maximum 26.04 LTS customers will wish to improve to. 2 years away provides time for the proposals to mattress in.
Finally, the purpose of intervening time releases is to trial and check substantive adjustments, to permit time for dialogue, comments and refinement – within the worst case situation, a rollback.
