© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
@ahasenack
This must not go direct to security pocket, as it will require testing out of proposed by CPC & Azure Cloud partner, then it can be released into update and security.
Nullboot vendors in a copy of the shim, that it knows how to do TPM sealing for to support FDE feature on Azure CVM instances.
The shim that nullboot vendors-in right now in jammy is security vulnerable and has been revoked.
A no-change rebuild would update the copy of the shim inside the nullboot build - however that would regress resealing support, as the update shim has different TPM measurements which nullboot needs to know.
The kicker is, that there is no measurements specific code in nullboot, as all of it comes from snapd/secboot libraries. Thus these got updated to the exact same revisions as are used by the stable release of snapd (at the time the update was prepared and tested in Noble with Azure).
One thing one can verify is that the go.mod manifest matches the one in use in noble, and in https:/
Without this update, soon, it will become impossible to launch any Azure CVMs as they are about to upgrade dbx revocations, and thus revoke ability to boot the obsolete shim as currently shipped in Jammy.