Bug#966554: grub2-common: BootHole fixes in DSA-4735-1 break dual-boot with Windows
Jan Stolarek
jwstolarek at gmail.com
Thu Jul 30 15:56:08 BST 2020
Package: grub2-common
Version: 2.02+dfsg1-20+deb10u1
Severity: important
Dear Maintainer,
After installing DSA-4735-1 security update (BootHole fixes) it is no longer
possible to boot Windows from GRUB. Running `update-grub2` correctly detects
presence of Windows Boot Manager and creates GRUB entry for it. However,
selecting that entry on boot leads to black screen and nothing happens no matter
how long I wait. It is still possible to boot Windows directly from BIOS, i.e.
by bypassing GRUB altogether. Disabling Secure Boot does not help, neither does
reinstalling GRUB.
-- Package-specific info:
*********************** BEGIN /proc/mounts
/dev/mapper/nvme0n1p3_crypt / ext4 rw,relatime,errors=remount-ro 0 0
/dev/nvme0n1p2 /boot ext4 rw,relatime 0 0
/dev/nvme0n1p1 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 0
/dev/nvme0n1p6 /mnt/win-c fuseblk rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096 0 0
/dev/nvme0n1p7 /mnt/win-dane fuseblk rw,relatime,user_id=0,group_id=0,default_permissions,allow_other,blksize=4096 0 0
/dev/mapper/nvme0n1p4_crypt /dane ext4 rw,relatime 0 0
*********************** END /proc/mounts
*********************** BEGIN /boot/grub/grub.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by grub-mkconfig using templates
# from /etc/grub.d and settings from /etc/default/grub
#
### BEGIN /etc/grub.d/00_header ###
if [ -s $prefix/grubenv ]; then
set have_grubenv=true
load_env
fi
if [ "${next_entry}" ] ; then
set default="${next_entry}"
set next_entry=
save_env next_entry
set boot_once=true
else
set default="0"
fi
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
else
menuentry_id_option=""
fi
export menuentry_id_option
if [ "${prev_saved_entry}" ]; then
set saved_entry="${prev_saved_entry}"
save_env saved_entry
set prev_saved_entry=
save_env prev_saved_entry
set boot_once=true
fi
function savedefault {
if [ -z "${boot_once}" ]; then
saved_entry="${chosen}"
save_env saved_entry
fi
}
function load_video {
if [ x$feature_all_video_module = xy ]; then
insmod all_video
else
insmod efi_gop
insmod efi_uga
insmod ieee1275_fb
insmod vbe
insmod vga
insmod video_bochs
insmod video_cirrus
fi
}
if [ x$feature_default_font_path = xy ] ; then
font=unicode
else
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root c18532de-5005-4d74-93bf-82cacb0668b1
else
search --no-floppy --fs-uuid --set=root c18532de-5005-4d74-93bf-82cacb0668b1
fi
font="/usr/share/grub/unicode.pf2"
fi
if loadfont $font ; then
set gfxmode=1920x1080x8
load_video
insmod gfxterm
set locale_dir=$prefix/locale
set lang=en_GB
insmod gettext
fi
terminal_output gfxterm
if [ "${recordfail}" = 1 ] ; then
set timeout=30
else
if [ x$feature_timeout_style = xy ] ; then
set timeout_style=menu
set timeout=3
# Fallback normal timeout code in case the timeout_style feature is
# unavailable.
else
set timeout=3
fi
fi
### END /etc/grub.d/00_header ###
### BEGIN /etc/grub.d/05_debian_theme ###
set menu_color_normal=cyan/blue
set menu_color_highlight=white/blue
### END /etc/grub.d/05_debian_theme ###
### BEGIN /etc/grub.d/10_linux ###
function gfxmode {
set gfxpayload="${1}"
}
set linux_gfx_mode=
export linux_gfx_mode
menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-c18532de-5005-4d74-93bf-82cacb0668b1' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
else
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
fi
echo 'Loading Linux 5.6.0-0.bpo.2-amd64 ...'
linux /vmlinuz-5.6.0-0.bpo.2-amd64 root=UUID=c18532de-5005-4d74-93bf-82cacb0668b1 ro quiet ipv6.disable=1
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.6.0-0.bpo.2-amd64
}
submenu 'Advanced options for Debian GNU/Linux' $menuentry_id_option 'gnulinux-advanced-c18532de-5005-4d74-93bf-82cacb0668b1' {
menuentry 'Debian GNU/Linux, with Linux 5.6.0-0.bpo.2-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-0.bpo.2-amd64-advanced-c18532de-5005-4d74-93bf-82cacb0668b1' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
else
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
fi
echo 'Loading Linux 5.6.0-0.bpo.2-amd64 ...'
linux /vmlinuz-5.6.0-0.bpo.2-amd64 root=UUID=c18532de-5005-4d74-93bf-82cacb0668b1 ro quiet ipv6.disable=1
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.6.0-0.bpo.2-amd64
}
menuentry 'Debian GNU/Linux, with Linux 5.6.0-0.bpo.2-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.6.0-0.bpo.2-amd64-recovery-c18532de-5005-4d74-93bf-82cacb0668b1' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
else
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
fi
echo 'Loading Linux 5.6.0-0.bpo.2-amd64 ...'
linux /vmlinuz-5.6.0-0.bpo.2-amd64 root=UUID=c18532de-5005-4d74-93bf-82cacb0668b1 ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-5.6.0-0.bpo.2-amd64
}
menuentry 'Debian GNU/Linux, with Linux 4.19.0-9-amd64' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-9-amd64-advanced-c18532de-5005-4d74-93bf-82cacb0668b1' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
else
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
fi
echo 'Loading Linux 4.19.0-9-amd64 ...'
linux /vmlinuz-4.19.0-9-amd64 root=UUID=c18532de-5005-4d74-93bf-82cacb0668b1 ro quiet ipv6.disable=1
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-9-amd64
}
menuentry 'Debian GNU/Linux, with Linux 4.19.0-9-amd64 (recovery mode)' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.19.0-9-amd64-recovery-c18532de-5005-4d74-93bf-82cacb0668b1' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_gpt
insmod ext2
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
else
search --no-floppy --fs-uuid --set=root f65cd157-95ac-4bee-b1d9-70dd96a5366c
fi
echo 'Loading Linux 4.19.0-9-amd64 ...'
linux /vmlinuz-4.19.0-9-amd64 root=UUID=c18532de-5005-4d74-93bf-82cacb0668b1 ro single
echo 'Loading initial ramdisk ...'
initrd /initrd.img-4.19.0-9-amd64
}
}
### END /etc/grub.d/10_linux ###
### BEGIN /etc/grub.d/20_linux_xen ###
### END /etc/grub.d/20_linux_xen ###
### BEGIN /etc/grub.d/30_os-prober ###
menuentry 'Windows Boot Manager (on /dev/nvme0n1p1)' --class windows --class os $menuentry_id_option 'osprober-efi-AAE3-79DD' {
insmod part_gpt
insmod fat
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root AAE3-79DD
else
search --no-floppy --fs-uuid --set=root AAE3-79DD
fi
chainloader /EFI/Microsoft/Boot/bootmgfw.efi
}
### END /etc/grub.d/30_os-prober ###
### BEGIN /etc/grub.d/30_uefi-firmware ###
menuentry 'System setup' $menuentry_id_option 'uefi-firmware' {
fwsetup
}
### END /etc/grub.d/30_uefi-firmware ###
### BEGIN /etc/grub.d/40_custom ###
# This file provides an easy way to add custom menu entries. Simply type the
# menu entries you want to add after this comment. Be careful not to change
# the 'exec tail' line above.
### END /etc/grub.d/40_custom ###
### BEGIN /etc/grub.d/41_custom ###
if [ -f ${config_directory}/custom.cfg ]; then
source ${config_directory}/custom.cfg
elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
source $prefix/custom.cfg;
fi
### END /etc/grub.d/41_custom ###
*********************** END /boot/grub/grub.cfg
*********************** BEGIN /proc/mdstat
cat: /proc/mdstat: No such file or directory
*********************** END /proc/mdstat
*********************** BEGIN LVM
*********************** END LVM
*********************** BEGIN /dev/disk/by-id
total 0
lrwxrwxrwx 1 root root 10 Jul 30 15:14 dm-name-nvme0n1p3_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 Jul 30 15:14 dm-name-nvme0n1p4_crypt -> ../../dm-1
lrwxrwxrwx 1 root root 10 Jul 30 15:14 dm-uuid-CRYPT-LUKS2-54eeee8a6eeb44898706a56f5211b202-nvme0n1p3_crypt -> ../../dm-0
lrwxrwxrwx 1 root root 10 Jul 30 15:14 dm-uuid-CRYPT-LUKS2-7d4085cdffc3492582115020383a2de2-nvme0n1p4_crypt -> ../../dm-1
lrwxrwxrwx 1 root root 13 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3 -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part3 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part4 -> ../../nvme0n1p4
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part5 -> ../../nvme0n1p5
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part6 -> ../../nvme0n1p6
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-Seagate_FireCuda_510_SSD_ZP2000GM30001_7MZ009R3-part7 -> ../../nvme0n1p7
lrwxrwxrwx 1 root root 13 Jul 30 15:14 nvme-eui.0024cf00f4002bf9 -> ../../nvme0n1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part1 -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part2 -> ../../nvme0n1p2
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part3 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part4 -> ../../nvme0n1p4
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part5 -> ../../nvme0n1p5
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part6 -> ../../nvme0n1p6
lrwxrwxrwx 1 root root 15 Jul 30 15:14 nvme-eui.0024cf00f4002bf9-part7 -> ../../nvme0n1p7
*********************** END /dev/disk/by-id
*********************** BEGIN /dev/disk/by-uuid
total 0
lrwxrwxrwx 1 root root 15 Jul 30 15:14 54eeee8a-6eeb-4489-8706-a56f5211b202 -> ../../nvme0n1p3
lrwxrwxrwx 1 root root 10 Jul 30 15:14 75c034a3-aee0-4961-aec1-b88f2bd64d42 -> ../../dm-1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 7AD05D93D05D570B -> ../../nvme0n1p7
lrwxrwxrwx 1 root root 15 Jul 30 15:14 7d4085cd-ffc3-4925-8211-5020383a2de2 -> ../../nvme0n1p4
lrwxrwxrwx 1 root root 15 Jul 30 15:14 AAE3-79DD -> ../../nvme0n1p1
lrwxrwxrwx 1 root root 15 Jul 30 15:14 C0344148344142A0 -> ../../nvme0n1p6
lrwxrwxrwx 1 root root 10 Jul 30 15:14 c18532de-5005-4d74-93bf-82cacb0668b1 -> ../../dm-0
lrwxrwxrwx 1 root root 15 Jul 30 15:14 f65cd157-95ac-4bee-b1d9-70dd96a5366c -> ../../nvme0n1p2
*********************** END /dev/disk/by-uuid
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.6.0-0.bpo.2-amd64 (SMP w/24 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages grub2-common depends on:
ii dpkg 1.19.7
ii grub-common 2.02+dfsg1-20+deb10u1
ii install-info 6.5.0.dfsg.1-4+b1
ii libc6 2.28-10
ii libdevmapper1.02.1 2:1.02.155-3
ii libefiboot1 37-2
ii libefivar1 37-2
ii liblzma5 5.2.4-1
grub2-common recommends no packages.
grub2-common suggests no packages.
-- no debconf information
More information about the Pkg-grub-devel
mailing list