bottlerocket-os
update grub and shim
Issue number: N/A
Description of changes:
Update shim to 15.8 which includes recent CVE fixes.
Update grub to the latest version from AL23, and revert two patches that aren't required for Bottlerocket's Secure Boot implementation. This includes fixes for CVE-2023-4692 and CVE-2023-4693, which don't apply to Bottlerocket since the NTFS module isn't built. Overall, this update is a bit of a no-op but I wanted to get it in to record the decision to revert the patches, rather than leaving that for a future update.
I also added a patch from Red Hat that fixes CVE-2023-4001. That doesn't apply to Bottlerocket because the search directive isn't used to locate grub.cfg, so there is no ability to bypass a password that might be set. On variants that support Secure Boot there's also no way to modify grub.cfg to set a password. However, the functionality is useful to ensure that we read the expected boot config file for extending the kernel command line.
Testing done: Confirmed that Secure Boot works for the following variants:
-
aws-k8s-1.28- x86_64, aarch64 -
vmware-dev- x86_64 -
metal-dev- x86_64 (under QEMU)
I also tested legacy BIOS boot on c3.large to confirm the "uefi-preferred" functionality works as expected.
Verified that in-place upgrades and downgrades worked for aws-k8s-1.28 (x86_64) and aws-k8s-1.28-nvidia (aarch64).
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.
Confirmed patches match their upstream counterparts and the shim update included revokes the previous grub generation number. Ready to approve once test results are in. :racehorse:
