backport SecureBoot support from 13.10 for 12.04.4

Bug #1229572 reported by Steve Langasek on 2013-09-24
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnu-efi (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
sbsigntool (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
shim (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
shim-signed (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned

Bug Description

This is a meta-bug for backporting SecureBoot support from 13.10 for 12.04.4. To fully update the SecureBoot stack for 12.04.4 and fix a number of outstanding bugs, we will have to update a number of packages:

 - gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
 - sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
 - shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
 - shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)

We should also backport grub2 support for generating signed netboot images, but this can be handled as a separate bug report.

[Impact]
A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release. The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming. This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.

[Test Case]
1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux, elilo, shim, sbsigntool, and verify that they're buildable
2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
5. Install linux-signed-generic-lts-raring from precise-updates and verify that it works with the new sbsigntool
6. Verify that linux-signed-lts-raring builds from source with the new sbsigntool

[Regression Potential]
This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable. This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise. There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.

Steve Langasek (vorlon) on 2013-09-24
Changed in gnu-efi (Ubuntu):
status: New → Invalid
Changed in sbsigntool (Ubuntu):
status: New → Invalid
Changed in shim (Ubuntu):
status: New → Invalid
Changed in shim-signed (Ubuntu):
status: New → Invalid

Hello Steve, or anyone else affected,

Accepted sbsigntool into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sbsigntool (Ubuntu Raring):
status: New → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted gnu-efi into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~13.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnu-efi (Ubuntu Raring):
status: New → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted gnu-efi into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~12.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnu-efi (Ubuntu Quantal):
status: New → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted sbsigntool into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sbsigntool (Ubuntu Quantal):
status: New → Fix Committed
Changed in gnu-efi (Ubuntu Precise):
status: New → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Steve, or anyone else affected,

Accepted gnu-efi into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~12.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Adam Conrad (adconrad) wrote :

Hello Steve, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sbsigntool (Ubuntu Precise):
status: New → Fix Committed
Steve Langasek (vorlon) on 2013-10-30
Changed in shim-signed (Ubuntu Raring):
status: New → Fix Committed
Changed in shim-signed (Ubuntu Quantal):
status: New → Fix Committed
Changed in shim-signed (Ubuntu Precise):
status: New → Fix Committed
Changed in shim (Ubuntu Precise):
status: New → Fix Committed
Changed in shim (Ubuntu Raring):
status: New → Fix Committed
Steve Langasek (vorlon) on 2013-10-30
Changed in shim (Ubuntu Quantal):
status: New → Fix Committed
Stéphane Graber (stgraber) wrote :

Testing on precise:
 - Built all the rdepends using the new gnu-efi => all built fine
 - Tested shim-signed on a UEFI SB machine with and without SB => boots fine
 - Rebuild current shim-signed with -proposed packages => builds fine
 - Rebuild new shim-signed with -proposed packages => fails to build
 - Install linux-signed-generic-lts-raring with -proposed packages => installs fine
 - Rebuild linux-signed-generic-lts-raring with -proposed packages => builds fine

So everything looks good with the exception of shim-signed failing to build from source. I have uploaded a fixed version of the source to the queue which addresses that.

Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Stéphane Graber (stgraber) wrote :

Confirmed a rebuilt version of shim boots fine under UEFI.

Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu12.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Stéphane Graber (stgraber) wrote :

Confirmed the new shim-signed boots on precise.

tags: added: verification-done-precise
Launchpad Janitor (janitor) wrote :
Download full text (3.8 KiB)

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~12.04.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~12.04.0) precise; urgency=low

  * Backport gnu-efi from saucy to precise to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.

gnu-efi (3.0s+debian-1ubuntu2) raring; urgency=low

  * Restore -fno-stack-protector; this is needed to build packages linked
    against gnu-efi, such as efilinux. This change is now in a patch with a
    header explaining the reasoning, to try to avoid it being dropped in
    future.

gnu-efi (3.0s+debian-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable, dropped changes:
    - gnuefi/elf_x86_64_efi.lds: align the .reloc section; merged upstream.
    - Build with -fno-stack-protector; no longer needed.
  * debian/rules: past architecture arguments when building the x86_64 code on
    i386; otherwise the upstream build system wrongly assumes that if uname
    says x86_64, it doesn't have to pass -m64 to the compiler.

gnu-efi (3.0s+debian-1) unstable; urgency=low

  * Merging upstream version 3.0s+debian.

gnu-efi (3.0r+debian-1) experimental; urgency=low

  * Merging upstream version 3.0r+debian (Closes: #637276, #679627):
    - Rebuilding upstream tarball without debian directory.
  * Removing useless whitespaces at EOL and EOF.
  * Updating package to debhelper version 9.
  * Updating package to standards version 3.9.4.
  * Making build-depends on binutils unversioned, already fulfilled by
    wheezy.
  * Sorting architectures in gcc-multilib build-depends alphabetically.
  * Wrapping build-depends to 80 chars per line.
  * Adding homepage field.
  * Sorting architectures field alphabetically.
  * Removing pre-wheezy conflicts on libc6-i386.
  * Removing French spacing in package long-description.
  * Rewriting copyright file in copyright-format version 1.0.
  * Prefixing debhelper files with package name.
  * Simplifying debhelper docs file by using wildcard.
  * Removing watch file.
  * Reorga...

Read more...

Changed in gnu-efi (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.04.1

---------------
sbsigntool (0.6-0ubuntu4~12.04.1) precise; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.

sbsigntool (0.6-0ubuntu2) raring; urgency=low

  * Mark sbsigntool Multi-Arch: foreign.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

Changed in sbsigntool (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.4.0~ubuntu12.04.1

---------------
shim-signed (1.4.0~ubuntu12.04.1) precise; urgency=low

  * Backport to Ubuntu 12.04 LTS. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500

Changed in shim-signed (Ubuntu Precise):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) on 2013-11-07
Changed in shim (Ubuntu Precise):
status: Fix Committed → Fix Released
Stéphane Graber (stgraber) wrote :

All test builds passed on quantal too.

Stéphane Graber (stgraber) wrote :

And same thing on raring.

Stéphane Graber (stgraber) wrote :

Confirmed that a rebuilt shim on raring boots fine.

Stéphane Graber (stgraber) wrote :

And confirmed on quantal too.

Stéphane Graber (stgraber) wrote :

current and new shim-signed still build fine using quantal-proposed

Stéphane Graber (stgraber) wrote :

same result on raring

Stéphane Graber (stgraber) wrote :

linux-signed builds fine on both quantal-proposed and raring-proposed

Stéphane Graber (stgraber) wrote :

and finally confirmed installability on both quantal and raring. Marking both verification-done and releasing those in a minute.

tags: added: verification-done-quantal verification-done-raring
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~12.10.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~12.10.0) quantal; urgency=low

  * Backport gnu-efi from saucy to quantal to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.

gnu-efi (3.0s+debian-1ubuntu2) raring; urgency=low

  * Restore -fno-stack-protector; this is needed to build packages linked
    against gnu-efi, such as efilinux. This change is now in a patch with a
    header explaining the reasoning, to try to avoid it being dropped in
    future.

gnu-efi (3.0s+debian-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable, dropped changes:
    - gnuefi/elf_x86_64_efi.lds: align the .reloc section; merged upstream.
    - Build with -fno-stack-protector; no longer needed.
  * debian/rules: past architecture arguments when building the x86_64 code on
    i386; otherwise the upstream build system wrongly assumes that if uname
    says x86_64, it doesn't have to pass -m64 to the compiler.

gnu-efi (3.0s+debian-1) unstable; urgency=low

  * Merging upstream version 3.0s+debian.

gnu-efi (3.0r+debian-1) experimental; urgency=low

  * Merging upstream version 3.0r+debian (Closes: #637276, #679627):
    - Rebuilding upstream tarball without debian directory.
  * Removing useless whitespaces at EOL and EOF.
  * Updating package to debhelper version 9.
  * Updating package to standards version 3.9.4.
  * Making build-depends on binutils unversioned, already fulfilled by
    wheezy.
  * Sorting architectures in gcc-multilib build-depends alphabetically.
  * Wrapping build-depends to 80 chars per line.
  * Adding homepage field.
  * Sorting architectures field alphabetically.
  * Removing pre-wheezy conflicts on libc6-i386.
  * Removing French spacing in package long-description.
  * Rewriting copyright file in copyright-format version 1.0.
  * Prefixing debhelper files with package name.
  * Simplifying debhelper docs file by using wildcard.
  * Removing watch file.
  * Reorga...

Read more...

Changed in gnu-efi (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.10.1

---------------
sbsigntool (0.6-0ubuntu4~12.10.1) quantal; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

Changed in sbsigntool (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.4.0~ubuntu12.10.1

---------------
shim-signed (1.4.0~ubuntu12.10.1) quantal; urgency=low

  * Backport to Ubuntu 12.10. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500

Changed in shim-signed (Ubuntu Quantal):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~13.04.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~13.04.0) raring; urgency=low

  * Backport gnu-efi from saucy to raring to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:21:08 -0700

Changed in gnu-efi (Ubuntu Raring):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~13.04.1

---------------
sbsigntool (0.6-0ubuntu4~13.04.1) raring; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

Changed in sbsigntool (Ubuntu Raring):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.4.0~ubuntu13.04.1

---------------
shim-signed (1.4.0~ubuntu13.04.1) raring; urgency=low

  * Backport to Ubuntu 13.04. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500

Changed in shim-signed (Ubuntu Raring):
status: Fix Committed → Fix Released
Changed in shim (Ubuntu Quantal):
status: Fix Committed → Fix Released
Changed in shim (Ubuntu Raring):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers