Tuesday 29 September 2020

Canonical have announced a new point release for Ubuntu 16.04 LTS - 16.04.7 (Xenial Xerus)

Update: This work is superseded ... see 'ISOs' under 'Useful posts'.

Canonical have released the seventh point release of Ubuntu 16.04 Long-Term Support (LTS) as Ubuntu 16.04.7.

I’ve respun the desktop ISO using my ‘isorespin.sh‘ script and created ISOs suitable for Intel Atom and Intel Apollo Lake devices:

Atom (-i ubuntu-16.04.7-desktop-amd64.iso --atom)
Apollo (-i ubuntu-16.04.7-desktop-amd64.iso --apollo)


Downloading Note

After downloading an ISO file it is recommended to test that the file is correct and safe to use by verifying the integrity of the downloaded file. An error during the download could result in a corrupted file and trigger random issues during the usage of the ISO.

The program 'md5sum' is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. The MD5 calculation gives a checksum (called a hash value), which must equal the MD5 value of a correct ISO.

First open a terminal and go to the correct directory to check a downloaded ISO. Then run the command 'md5sum <ISO>' for example:
md5sum linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso
'md5sum' should then print out a single line after calculating the hash:

e1c5c463c3d2078f7a26d65472b59973  linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso

Compare the hash (the alphanumeric string on left) from your output with the corresponding hash below. If both hashes match exactly then the downloaded file is almost certainly intact. However if the hashes do not match then there was a problem with the download and you should download the file again.


ISO 'md5sum' hashes

e1c5c463c3d2078f7a26d65472b59973  linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso
ee3367e767d2c0938cc12776d5cf288d  linuxium-apollo-ubuntu-16.04.7-desktop-amd64.iso


Please donate if you find these ISOs useful.
Posted by at 9 comments:

Saturday 26 September 2020

'BootHole' implications for 'isorespin.sh'

 

(Credit: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot)

When it was discovered that GRUB2 contained various vulnerabilities that would allow UEFI Secure Boot to be bypassed and which became known as the “BootHole” vulnerability (CVE-2020-10713), the recommendation was that all operating systems using GRUB2 with Secure Boot must release new installers and bootloaders. 

I reviewed 'isorespin.sh' at that time as one of it's key features is the option to add a GRUB2 bootloader to allow ISOs to boot on the many Intel devices limited by their BIOS requiring a 32-bit bootloader to boot a 64-bit OS.

My initial 'fix' was based around Ubuntu's response by recompiling and adding the latest fixed GRUB2 bootloader from 'groovy' (Ubuntu 20.10) and let the Ubuntu package manager 'apt' install the appropriate GRUB2 binaries to the ISO whilst being respun.

This initially worked, however after receiving what can only be described as some abusive 'hate' email from a user complaining that 'isorespin.sh' fails when installing the 32-bit binaries, I investigated and found that Canonical had effectively removed the earlier 32-bit GRUB2 packages with vulnerabilities.

The original 'isorespin.sh' process was to download the 32-bit GRUB2 packages whose version matched the 64-bit GRUB2 packages in the ISO and update the relevant package file with the details of these packages. However in Canonical's process when a package is replaced by a newer version at some point older versions get archived so the 'isorespin.sh' download process needs to perform the download from the archive location. At this point the package information is still typically available in the package manager's cache so it is still possible to update the relevant package file.

But in order to add the other functionality in 'isorespin.sh' such as updating the kernel or installing a package as part of respinning an ISO it is also necessary to update the package manager's cache. The issue that "BootHole" subsequently created for 'isorespin.sh' was that because the cache was now updated, the earlier versions of the GRUB2 packages with the vulnerabilities were (obviously) no longer included to prevent them from being selected and installed. The consequence was that because the downloaded earlier versioned 32-bit GRUB2 packages were no longer supported, when they were further processed either by 'isorespin.sh' or as part of ISO installation, errors occurred.

Part of the problem in fixing these errors was wanting to mimic the original ISO's ability to be installed either with or without a network connection and also address the "BootHole" vulnerability as part of respinning the ISO. A new issue was encountered because by simply downloading the latest and therefore fixed 32-bit GRUB2 packages left their package dependencies untouched. This leads to package incompatibility when trying to install these later versioned packages.  

To address this I've made the decision to continue to download the 32-bit GRUB2 packages whose version matches that of the ISO thereby keeping the integrity of the ISO. However in recognising that any package in the ISO's pool structure could be superseded by security updates I also then ensure that all of the pool packages are updated to their respective current version at time of respinning the ISO. This also means that their versions are reflected in the ISO's package manager's cache. Finally to correct the GRUB2 package dependencies I also update any GRUB2 packages currently installed in the ISO's filesystem.

Whilst this addresses the vulnerabilities caused by "BootHole" it does mean that if the Ubiquity installer installs other packages from the pool structure it may still result in package dependency issues. The workaround if this occurs is to either individually update the affected packages when respinning the ISO or use the '--dist-upgrade' option to upgrade all installed packages.

This newest version (8.6.4) is now available from 'isorespin.sh'. 

Please donate if you find the script useful using the following link http://goo.gl/nXWSGf as everything helps with development costs.


Posted by at 3 comments:

Sunday 13 September 2020

Intel NUC 9 Extreme “Ghost Canyon” Kit – NUC9i9QNX Review

 


Intel NUC 9 Extreme “Ghost Canyon” Kit – NUC9i9QNX Review


Please donate if you find my review useful.

Posted by at No comments:

Friday 4 September 2020

Canonical announces new point releases - Ubuntu 20.04.2 and 18.04.5

Update: This work is superseded ... see Canonical announces new point releases - Ubuntu 20.04.3 and 18.04.6


This post has been updated with links to Ubuntu 20.04.2

Canonical have released both the first second point release of Ubuntu 20.04 Long-Term Support (LTS) as Ubuntu 20.04.2 and the fifth point release of Ubuntu 18.04 Long-Term Support (LTS) as Ubuntu 18.04.5.

I’ve respun the desktop ISOs using my ‘isorespin.sh‘ script and created ISOs suitable for Intel Atom and Intel Apollo Lake devices:

Atom (-i ubuntu-20.04.2-desktop-amd64.iso --atom)
Apollo (-i ubuntu-20.04.2-desktop-amd64.iso --apollo)
Atom (-i ubuntu-18.04.5-desktop-amd64.iso --atom)
Apollo (-i ubuntu-18.04.5-desktop-amd64.iso --apollo)

I've also respun the 'Focal Fossa' desktop ISO with the '--server' option to create a pseudo server ISO suitable for Intel devices with a 32-bit bootloader:

Server (-i ubuntu-20.04.2-desktop-amd64.iso --server)

Also announced are the official 20.04.1 flavours of Ubuntu including Lubuntu which I've also respun to created an ISO suitable for Intel Atom devices:

Atom (-i lubuntu-20.04.2-desktop-amd64.iso --atom)


Downloading Note

After downloading an ISO file it is recommended to test that the file is correct and safe to use by verifying the integrity of the downloaded file. An error during the download could result in a corrupted file and trigger random issues during the usage of the ISO.

The program 'md5sum' is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. The MD5 calculation gives a checksum (called a hash value), which must equal the MD5 value of a correct ISO.

First open a terminal and go to the correct directory to check a downloaded ISO. Then run the command 'md5sum <ISO>' for example:
md5sum linuxium-atom-ubuntu-20.04.2-desktop-amd64.iso
'md5sum' should then print out a single line after calculating the hash:

31d672831759f015191190da88b1c5dd  linuxium-atom-ubuntu-20.04.2-desktop-amd64.iso

Compare the hash (the alphanumeric string on left) from your output with the corresponding hash below. If both hashes match exactly then the downloaded file is almost certainly intact. However if the hashes do not match then there was a problem with the download and you should download the file again.


ISO 'md5sum' hashes

31d672831759f015191190da88b1c5dd  linuxium-atom-ubuntu-20.04.2-desktop-amd64.iso
e33bec1268ef0413e38e58edb252951c  linuxium-apollo-ubuntu-20.04.2-desktop-amd64.iso
9b460cbc70020f117217bf96385d7a3f  linuxium-atom-ubuntu-18.04.5-desktop-amd64.iso
8231e6792cc3c8eed61dbe9b47563dc4  linuxium-apollo-ubuntu-18.04.5-desktop-amd64.iso
24174ea74a6c66e7747820ca1cb4db03  linuxium-ubuntu-20.04.2-server-amd64.iso
c58c1f3418fc3ece12edf2e23974725a  linuxium-atom-lubuntu-20.04.2-desktop-amd64.iso


Please donate if you find these ISOs useful.
Posted by at 27 comments: