Comment 66 for bug 2040137

fyi, I've got tested packages for focal, jammy and mantic in the security PPA. These use @mkukri's shell disable patch.

For sid/noble, I've got the following queued up that actually disable the shell in the secboot variants. This required creating new flavors for AARCH64 and IA32 so that users can choose between secboot and shell-capable:

edk2 (2023.11-7) UNRELEASED; urgency=medium

  * ovmf, qemu-efi-*: Stop building Secure Boot code into non-secboot
    images so they can include a built-in shell which is unsafe in
    Secure Boot mode.
  * ovmf-ia32: Add non-secboot image. Thanks to Lionel Debroux.
    (Closes: #1023491).
  * debian/tests/shell.py: Add tests for ovmf-ia32 non-secboot image.
  * qemu-efi-aarch64: Add non-secboot variant. AAVMF_CODE.fd is the
    secboot variant, so name it AAVMF_CODE.no-secboot.fd.
  * qemu-efi-aarch64: Rename the secboot variant, AAVMF_CODE.fd,
    to AAVMF_CODE.secboot.fd and add a compat symlink.
  * ovmf, ovmf-ia32, qemu-efi-aarch64: Stop including a built-in shell
    in secboot variants, CVE-2023-48733. Thanks to Mate Kukri.
    LP: #2040137.
    - d/tests: Drop the boot-to-shell tests for images w/ Secure Boot.
    - d/tests: Update run_cmd_check_secure_boot() to not expect shell
      interaction.

 -- dann frazier <email address hidden> Sat, 10 Feb 2024 21:17:35 -0700