SBAT shim 15.4 release
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
Medium
|
Unassigned | ||
shim (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* New upstream shim release 15.4
* It includes and enforces SBAT validation
[Test Plan]
* https:/
[Where problems could occur]
* Upgrading to new shim, without upgrading to the new grub with sbat will fail to boot, as grub must include SBAT section.
* Upgrading to new shim, without upgrading to the new fwupdate with sbat will fail to boot, as fwupdate must include SBAT section.
[Other Info]
* All patches are dropped, as all got included in the v15.3 upstream release
* Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
* Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
* This upload obsoletes shim-signed-
description: | updated |
summary: |
- SBAT shim 15.3 release + SBAT shim 15.4 release |
description: | updated |
tags: | added: fwupd |
tags: | added: sbat |
Changed in shim (Ubuntu): | |
status: | New → Confirmed |
Changed in shim-signed (Ubuntu): | |
status: | New → Confirmed |
tags: | added: oem-priority |
tags: | added: block-proposed-hirsute |
tags: | added: block-proposed-bionic block-proposed-focal block-proposed-groovy block-proposed-xenial |
tags: | removed: block-proposed-hirsute |
Changed in oem-priority: | |
assignee: | nobody → Yuan-Chen Cheng (ycheng-twn) |
status: | New → Confirmed |
importance: | Undecided → Critical |
Changed in oem-priority: | |
status: | Confirmed → In Progress |
Changed in oem-priority: | |
assignee: | Yuan-Chen Cheng (ycheng-twn) → nobody |
assignee: | nobody → Yuan-Chen Cheng (ycheng-twn) |
importance: | Critical → Medium |
status: | In Progress → Confirmed |
assignee: | Yuan-Chen Cheng (ycheng-twn) → nobody |
tags: | removed: block-proposed-bionic |
tags: | removed: block-proposed-groovy |
Changed in oem-priority: | |
status: | Confirmed → Fix Released |
This bug was fixed in the package shim - 15.4-0ubuntu1
---------------
shim (15.4-0ubuntu1) hirsute; urgency=medium
[ Dimitri John Ledkov ] EBS_PROTECTION= 1 to allow
* New upstream release 15.4 LP: #1921134
- Update the commit hash in debian/rules
* debian/rules: add request to sign EFI binaries with archive signing key.
* debian/rules: stop using ENABLE_SHIM_CERT=1.
* debian/rules: add canonical 2021 DBX.
* deiban/rules: start using DISABLE_
chainloading shim to shim, and shim to kernel.efi.
* Add shim-dbg package, skip stripping files.
* Update watch file, now uscan can generate new upstream tarballs.
* Upgrade to debhelper 12.
* Drop gnu-efi build-dep, now vendored upstream.
* Add debian/rules target to generate gnu-efi components.
* Do not clean gnu-efi Makefile.orig
* Remove fallback 5s delay with TPM. LP: #1922581
* Add xxd build-dep to run unittests.
[ Chris Coulson ] patches/ Fix-OBJ_ create- to-tolerate- a-NULL- sn-and- ln.patch patches/ MokManager- avoid-unaligned .patch patches/ tpm-correctness -1.patch patches/ tpm-correctness -2.patch patches/ tpm-correctness -3.patch patches/ MokManager- hidpi-support. patch patches/ fix-path- checks. patch sbat.ubuntu. csv.in
* Drop patches that are fixed upstream:
- debian/
- debian/
- debian/
- debian/
- debian/
- debian/
- debian/
* Drop the ENABLE_HTTPBOOT option - this is always built now.
- update debian/rules
* Add vendor SBAT metadata to shim.
- add debian/
- update debian/rules
* Add vendor dbx esl to include-binaries
* Build-depend on dos2unix
- update debian/control
-- Dimitri John Ledkov <email address hidden> Wed, 24 Mar 2021 11:32:25 +0000