shim(-signed) NX support feature freeze exception request

Bug #2076227 reported by Mate Kukri
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cd-boot-images-amd64 (Ubuntu)
Status tracked in Oracular
Oracular
Fix Released
Undecided
Unassigned
cd-boot-images-arm64 (Ubuntu)
Status tracked in Oracular
Oracular
Fix Released
Undecided
Unassigned
shim (Ubuntu)
Status tracked in Oracular
Oracular
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Status tracked in Oracular
Oracular
Fix Released
Undecided
Unassigned

Bug Description

This is a high priority feature Canonical was developing during the Oracular Oriole cycle.

The GRUB piece has already hit the archive before FF as 2.12-1ubuntu9 (with 2.12-5ubuntu1 under review), but asking for an exception on the shim pieces due to Microsoft signing being required.

The following changes are being made:
- shim package: effectively identical upstream source, with minor changes to produce two executables, one with the NX_COMPAT set and another without
- shim-signed package: changes to choose which shim to install:
  + existing installation will get non-NX shim on package upgrades
  + new installations will get the NX shim

Code has already been tested and is available in the following repositories:
- https://code.launchpad.net/~ubuntu-uefi-team/+git/shim/+ref/master
- https://code.launchpad.net/~ubuntu-uefi-team/+git/shim-signed/+ref/master

Testing in the above context means that both shims have been verified to boot correctly, with additional testing for the shim installation mechanism, and additional testing for the NX shim under the Microsoft Mu firmware that has an NX enforcing mode.

Usable self-signed test builds of the new shims can be found in my nx-testing PPA https://launchpad.net/~mkukri/+archive/ubuntu/nx-testing, with the real shim for MS submission having been built in the usual place at https://launchpad.net/~ubuntu-uefi-team/+archive/ubuntu/build.

The shim-review required for MS submission is under internal review, then we will submit the shim-review to the community, and the shim afterwards for MS signing.

Mate Kukri (mkukri)
summary: - shim(-signed) NX support feature freeze exception
+ shim(-signed) NX support feature freeze exception request
Revision history for this message
Mate Kukri (mkukri) wrote :

Signed shims have been received from MS a while ago, this could still potentially make Oracular if desired.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

It is late, and post Beta - which is unfortunate. However, I still feel it makes sense to get it into oracular. I discussed this with Mate earlier and the good part about this is that it should be easily revertible in case we notice issues.

Let's proceed, but I would request doing lots of additional testing of the dailies and keeping an eye out for reports.

Changed in shim-signed (Ubuntu):
status: New → Triaged
Changed in shim (Ubuntu):
status: New → Triaged
Revision history for this message
Mate Kukri (mkukri) wrote :

This will also need cd-boot-images rebuilt for the two shim based architectures as well to have that in sync, so tagging to avoid forgetting

Changed in cd-boot-images-amd64 (Ubuntu Oracular):
milestone: none → ubuntu-24.10
Changed in cd-boot-images-arm64 (Ubuntu Oracular):
milestone: none → ubuntu-24.10
Changed in shim (Ubuntu Oracular):
milestone: none → ubuntu-24.10
Changed in shim-signed (Ubuntu Oracular):
milestone: none → ubuntu-24.10
Revision history for this message
Mate Kukri (mkukri) wrote :
Revision history for this message
Nick Rosbrook (enr0n) wrote :

Merged and uploaded both.

Changed in cd-boot-images-arm64 (Ubuntu Oracular):
status: New → In Progress
Changed in cd-boot-images-amd64 (Ubuntu Oracular):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.59

---------------
shim-signed (1.59) oracular; urgency=medium

  * d/control: Update "Maintainer" to correctly reflect current status
  * Remove old "debian/files" committed by mistake
  * d/control: Depend on NX compatible GRUB2
  * Add Microsoft signed shim 15.8-0ubuntu2 binaries
  * Consume and install NX shim (LP: #2076227)
  * Do not default to NX shim to allow Windows 10 chainloading

 -- Mate Kukri <email address hidden> Tue, 01 Oct 2024 11:14:38 +0100

Changed in shim-signed (Ubuntu Oracular):
status: Triaged → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cd-boot-images-amd64 - 31

---------------
cd-boot-images-amd64 (31) oracular; urgency=medium

  * Rebuild against shim-signed 1.59+15.8-0ubuntu2 (LP: #2076227)

 -- Mate Kukri <email address hidden> Wed, 02 Oct 2024 17:00:40 +0100

Changed in cd-boot-images-amd64 (Ubuntu Oracular):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cd-boot-images-arm64 - 27

---------------
cd-boot-images-arm64 (27) oracular; urgency=medium

  * Rebuild against shim-signed 1.59+15.8-0ubuntu2 (LP: #2076227)

 -- Mate Kukri <email address hidden> Wed, 02 Oct 2024 17:02:33 +0100

Changed in cd-boot-images-arm64 (Ubuntu Oracular):
status: In Progress → Fix Released
Mate Kukri (mkukri)
Changed in shim (Ubuntu Oracular):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.