backport shim-signed 1.30 from artful to supported releases

Bug #1700170 reported by Mathieu Trudel-Lapierre on 2017-06-23
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
High
Mathieu Trudel-Lapierre
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

[Impact]
shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.

shim-signed also ships some additional bits that are useful to go along with the shim binary; and this is what is actually targetted on this SRU: shim itself does not change, but in the interest of making support as easy as possible, the supporting files shipped with it are also kept synchronized across releases.

These files are the following:
 - an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
 - a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).

[Test case]
See the other closed bugs for this backport, which include their own test cases.

== boot.csv ==
1) Verify that /usr/lib/shim/BOOTX64.CSV contains:
shimx64.efi,ubuntu,,This is the boot entry for Ubuntu

[Regression potential]
See the other closed bugs for this backport, which include their own test cases.

Shipping the BOOT$arch.CSV file alone has no risk of regression, it constitutes a single text file shipped in a location where it is not used; it is only contained in the backport to simplify keeping the shim-signed packages synchronized.

Already fixed in Artful...

Changed in shim-signed (Ubuntu):
status: New → Fix Released
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Steve Langasek (vorlon) on 2017-07-13
description: updated
Steve Langasek (vorlon) on 2017-07-13
description: updated

Hello Mathieu, or anyone else affected,

Accepted shim-signed into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-zesty
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-yakkety to verification-done-yakkety. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-yakkety. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed-yakkety

An upload of shim-signed to trusty-proposed has been rejected from the upload queue for the following reason: "needs adjusted versioned dep on grub2-common; drop ref to LP: #1624096 from changelog".

Steve Langasek (vorlon) on 2017-07-17
Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Trusty: verification-done

Verified that /EFI/ubuntu/BOOTx64.CSV exists and contains the right data. Also verified that the updated apport hook is present on the system and works as expected.

tags: added: verification-done-trusty
removed: verification-needed-trusty

The verification for trusty was done against shim-signed 1.32~14.04.2.

Verification-done for xenial, using shim-signed 1.32~16.04.1:

The new apport hook is correctly included on the system and contains the right script (updated capture of firmware keys), and the BOOTX64.CSV file is present under /boot/efi/EFI/ubuntu as it should.

tags: added: verification-done-xenial
removed: verification-needed-xenial

Verification-done for zesty, using shim-signed 1.32~17.04.1:

Both the apport hook and BOOTx64.CSV file are present on the system as expected.

tags: added: verification-done-zesty
removed: verification-needed-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~16.04.1

---------------
shim-signed (1.32~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.32 to 16.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:43:10 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~17.04.1

---------------
shim-signed (1.32~17.04.1) zesty; urgency=medium

  * Backport shim-signed 1.32 to 17.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:10:08 -0400

Changed in shim-signed (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers