fyi, I've got tested packages for focal, jammy and mantic in the security PPA. These use @mkukri's shell disable patch.
For sid/noble, I've got the following queued up that actually disable the shell in the secboot variants. This required creating new flavors for AARCH64 and IA32 so that users can choose between secboot and shell-capable:
edk2 (2023.11-7) UNRELEASED; urgency=medium
* ovmf, qemu-efi-*: Stop building Secure Boot code into non-secboot
images so they can include a built-in shell which is unsafe in
Secure Boot mode.
* ovmf-ia32: Add non-secboot image. Thanks to Lionel Debroux.
(Closes: #1023491).
* debian/tests/shell.py: Add tests for ovmf-ia32 non-secboot image.
* qemu-efi-aarch64: Add non-secboot variant. AAVMF_CODE.fd is the
secboot variant, so name it AAVMF_CODE.no-secboot.fd.
* qemu-efi-aarch64: Rename the secboot variant, AAVMF_CODE.fd,
to AAVMF_CODE.secboot.fd and add a compat symlink.
* ovmf, ovmf-ia32, qemu-efi-aarch64: Stop including a built-in shell
in secboot variants, CVE-2023-48733. Thanks to Mate Kukri.
LP: #2040137.
- d/tests: Drop the boot-to-shell tests for images w/ Secure Boot.
- d/tests: Update run_cmd_check_secure_boot() to not expect shell
interaction.
-- dann frazier <email address hidden> Sat, 10 Feb 2024 21:17:35 -0700
fyi, I've got tested packages for focal, jammy and mantic in the security PPA. These use @mkukri's shell disable patch.
For sid/noble, I've got the following queued up that actually disable the shell in the secboot variants. This required creating new flavors for AARCH64 and IA32 so that users can choose between secboot and shell-capable:
edk2 (2023.11-7) UNRELEASED; urgency=medium
* ovmf, qemu-efi-*: Stop building Secure Boot code into non-secboot tests/shell. py: Add tests for ovmf-ia32 non-secboot image. no-secboot. fd. secboot. fd and add a compat symlink. check_secure_ boot() to not expect shell
images so they can include a built-in shell which is unsafe in
Secure Boot mode.
* ovmf-ia32: Add non-secboot image. Thanks to Lionel Debroux.
(Closes: #1023491).
* debian/
* qemu-efi-aarch64: Add non-secboot variant. AAVMF_CODE.fd is the
secboot variant, so name it AAVMF_CODE.
* qemu-efi-aarch64: Rename the secboot variant, AAVMF_CODE.fd,
to AAVMF_CODE.
* ovmf, ovmf-ia32, qemu-efi-aarch64: Stop including a built-in shell
in secboot variants, CVE-2023-48733. Thanks to Mate Kukri.
LP: #2040137.
- d/tests: Drop the boot-to-shell tests for images w/ Secure Boot.
- d/tests: Update run_cmd_
interaction.
-- dann frazier <email address hidden> Sat, 10 Feb 2024 21:17:35 -0700