Well, finally some success in resolving the muck-up in the fix of BootHole vulnerability I applied thru system update on Monday, August 3, 2020. As indicated in my post above, I found an Ubuntu Wiki article (last update 2020-08-05) where they admitted they messed up and how to reverse the damage but not fix the BootHole issue.
There is still a minor problem after completing this process but my system will now UEFI SecureBoot boot Kubuntu 18.04 installed on a SSD in a dual boot system, with Windows 10.
From the Wiki post, this is the process I followed to Fix the Botched GRUB2 BootHole Problem. NOTE: This only reverses the updates and removes the bad fix.
- First, you have to create a LiveCD USB of the latest Ubuntu/Kubuntu 20.04 distro. Older vresions of the OS or another OS do not boot for me. I had to use Kubuntu 20.04 to get around the ‘mmx65.efi missing error’ on older versions of the OS. You will need internet access later in this process!
- Boot computer with LiveCD USB.
- Open Terminal session
- Mount the root filesystem and components for your installed OS. You also need to mount specific directories for the chroot environment to be used later. My Kubuntu root is installed on a SSD, on the 3rd partition. You need to determine what is correct for the root partition on your installation.
Code:
sudo mount /dev/nvme0n1p3 /mnt
for i in /sys /proc /run /dev /dev/pts ; do sudo mount --bind "$i" "/mnt$i"; done
sudo mv /mnt/etc/resolv.conf /mnt/etc/resolv.conf.bak
sudo cp -L /etc/resolv.conf /mnt/etc/
- I have a separate partition for /boot so I need to mount it as well:
Code:
sudo mount /dev/nvme0n1p1 /mnt/boot
- Now CHROOT into the SSD filesystem:
- Find installed kernels on SSD:
Code:
dpkg -l | grep linux-image
- You likely can skip this step. I messed up part of the kernel boot files during other attempts to fix this problem. If you do this step, BE SURE to determine the correct kernel version number/name. So I had to reinstall latest kernel ontothe SSD install:
Code:
sudo apt-get install --reinstall linux-image-5.4.0-42-generic
- Mount the /boot/efi directory
- From the instructions on the Wiki page now, Download and Install a previous 'working' version of grub2/grub2-signed. It is imperative that you determine from the Wiki page the correct grub2 version to downgrade to for this process to work. You have to do this with .deb packages. This worked for me YMMV.
GRUB2_VERSION=2.02-2ubuntu8.15
GRUB2_LP_URL=https://launchpad.net/ubuntu/+source...8831561/+files
GRUB2_SIGNED_VERSION=1.93.16
GRUB2_SIGNED_LP_URL=https://launchpad.net/ubuntu/+source...8831639/+files
Code:
cd /tmp
for i in grub-common grub-efi grub-efi-amd64 grub-efi-amd64-bin grub2-common ; do wget $GRUB2_LP_URL/${i}_${GRUB2_VERSION}_amd64.deb ; done
wget $GRUB2_SIGNED_LP_URL/grub-efi-amd64-signed_${GRUB2_SIGNED_VERSION}+${GRUB2_VERSION}_amd64.deb
dpkg -i ./grub*.deb
- Notice the output below shows an error when running the last command. I decide because it is a conflict in dependencies not to do anything about it now.
Code:
root@kubuntu:/tmp# dpkg -i ./grub*.deb
dpkg: warning: downgrading grub2-common from 2.02-2ubuntu8.17 to 2.02-2ubuntu8.15
(Reading database ... 445158 files and directories currently installed.)
Preparing to unpack .../grub2-common_2.02-2ubuntu8.15_amd64.deb ...
Unpacking grub2-common (2.02-2ubuntu8.15) over (2.02-2ubuntu8.17) ...
dpkg: warning: downgrading grub-common from 2.02-2ubuntu8.17 to 2.02-2ubuntu8.15
Preparing to unpack .../grub-common_2.02-2ubuntu8.15_amd64.deb ...
Running in chroot, ignoring request.
Running in chroot, ignoring request: daemon-reload
Running in chroot, ignoring request: is-active
Running in chroot, ignoring request: stop
Unpacking grub-common (2.02-2ubuntu8.15) over (2.02-2ubuntu8.17) ...
Running in chroot, ignoring request: daemon-reload
Selecting previously unselected package grub-efi.
Preparing to unpack .../grub-efi_2.02-2ubuntu8.15_amd64.deb ...
Unpacking grub-efi (2.02-2ubuntu8.15) ...
Selecting previously unselected package grub-efi-amd64.
dpkg: considering removing grub-pc in favour of grub-efi-amd64 ...
dpkg: no, cannot proceed with removal of grub-pc (--auto-deconfigure will help):
grub-gfxpayload-lists depends on grub-pc (>= 1.99~20101210-1ubuntu2)
grub-pc is to be removed.
dpkg: regarding .../grub-efi-amd64_2.02-2ubuntu8.15_amd64.deb containing grub-efi-amd64:
grub-efi-amd64 conflicts with grub-pc
grub-pc (version 2.02-2ubuntu8.17) is present and installed.
dpkg: error processing archive ./grub-efi-amd64_2.02-2ubuntu8.15_amd64.deb (--install):
conflicting packages - not installing grub-efi-amd64
dpkg: warning: downgrading grub-efi-amd64-bin from 2.02-2ubuntu8.17 to 2.02-2ubuntu8.15
Preparing to unpack .../grub-efi-amd64-bin_2.02-2ubuntu8.15_amd64.deb ...
Unpacking grub-efi-amd64-bin (2.02-2ubuntu8.15) over (2.02-2ubuntu8.17) ...
dpkg: warning: downgrading grub-efi-amd64-signed from 1.93.19+2.02-2ubuntu8.17 to 1.93.16+2.02-2ubuntu8.15
Preparing to unpack .../grub-efi-amd64-signed_1.93.16+2.02-2ubuntu8.15_amd64.deb ...
Unpacking grub-efi-amd64-signed (1.93.16+2.02-2ubuntu8.15) over (1.93.19+2.02-2ubuntu8.17) ...
Setting up grub-common (2.02-2ubuntu8.15) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Running in chroot, ignoring request: daemon-reload
Running in chroot, ignoring request.
Running in chroot, ignoring request: daemon-reload
Running in chroot, ignoring request: is-active
Running in chroot, ignoring request: start
dpkg: dependency problems prevent configuration of grub-efi:
grub-efi depends on grub-efi-amd64 (= 2.02-2ubuntu8.15); however:
Package grub-efi-amd64 is not installed.
dpkg: error processing package grub-efi (--install):
dependency problems - leaving unconfigured
Setting up grub-efi-amd64-bin (2.02-2ubuntu8.15) ...
Setting up grub-efi-amd64-signed (1.93.16+2.02-2ubuntu8.15) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Setting up grub2-common (2.02-2ubuntu8.15) ...
Processing triggers for install-info (6.5.0.dfsg.1-2) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for systemd (237-3ubuntu10.41) ...
Running in chroot, ignoring request: daemon-reload
Processing triggers for ureadahead (0.100.0-21) ...
Errors were encountered while processing:
./grub-efi-amd64_2.02-2ubuntu8.15_amd64.deb
grub-efi
root@kubuntu:/tmp#
- Finishing steps of the Wiki process:
Code:
cp -df /etc/resolv.conf.bak /etc/resolv.conf
- Unmount
- Exit chroot environment
- Unmount the SSD filesystem:
Code:
sudo umount /mnt/boot # Says: ‘Target is busy??’ I ignored this because it’s
in the LiveCD environment.
sudo umount /mnt/sys
sudo umount /mnt/run
sudo umount /mnt/dev/pts
sudo umount /mnt/dev
sudo umount /mnt/proc
- Reboot like normal (with UEFI and SecureBoot) into the installed Kubuntu OS. IT WORKS!
****** After Successful UEFI Reboot into Kubuntu 18.04 on installed system SSD drive:
- To check on the package dependency problem, I run a system update:
$ sudo apt-get update && sudo apt-get --with-new-pkgs upgrade
[sudo] password for z973-admin:
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:2 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Hit:3 http://packages.microsoft.com/repos/vscode stable InRelease
Get:4 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [294 kB]
Get:7 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [46.0 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [279 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,468 B]
Get:10 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [49.2 kB]
Get:11 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B]
Get:12 http://us.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [9,292 B]
Fetched 935 kB in 2s (553 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
You might want to run 'apt --fix-broken install' to correct these.
The following packages have unmet dependencies:
grub-efi : Depends: grub-efi-amd64 (= 2.02-2ubuntu8.15)
grub-pc : Depends: grub-common (= 2.02-2ubuntu8.17)
Depends: grub2-common (= 2.02-2ubuntu8.17)
grub-pc-bin : Depends: grub-common (= 2.02-2ubuntu8.17)
E: Unmet dependencies. Try 'apt --fix-broken install' with no packages (or specify a solution).
$
At this point, I’m not sure what to do next. It appears there are two versions of pieces of the grub stuff. My question is: Do I even need to have grub-pc and grub-pc-bin installed? The system boots and operates corectly as far as I can tell.
Note: after this fix, you still can not boot any older LiveUSBs or DVD’s. The Boot choices menu (F12 on my system) does not even show a bootable device for the LiveUSB! I think that is the intended action but I’m not sure.
Bookmarks