2017-06-23 19:39:28 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2017-06-23 19:40:52 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): status |
New |
Fix Released |
|
2017-06-23 19:40:55 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): importance |
Undecided |
High |
|
2017-06-23 19:40:56 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2017-06-23 19:41:18 |
Mathieu Trudel-Lapierre |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-07-13 06:21:07 |
Steve Langasek |
description |
[Impact]
shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.
shim-signed also ships some additional bits that are useful to go along with the shim binary; and this is what is actually targetted on this SRU: shim itself does not change, but in the interest of making support as easy as possible, the supporting files shipped with it are also kept synchronized across releases.
These files are the following:
- an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
- a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).
[Test case]
See the other closed bugs for this backport, which include their own test cases.
== boot.csv ==
1) Verify that /usr/lib/shim/BOOTx64.EFI contains:
shimx64.efi,ubuntu,,This is the boot entry for Ubuntu
[Regression potential]
See the other closed bugs for this backport, which include their own test cases.
Shipping the BOOT$arch.CSV file alone has no risk of regression, it constitutes a single text file shipped in a location where it is not used; it is only contained in the backport to simplify keeping the shim-signed packages synchronized. |
[Impact]
shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.
shim-signed also ships some additional bits that are useful to go along with the shim binary; and this is what is actually targetted on this SRU: shim itself does not change, but in the interest of making support as easy as possible, the supporting files shipped with it are also kept synchronized across releases.
These files are the following:
- an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
- a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).
[Test case]
See the other closed bugs for this backport, which include their own test cases.
== boot.csv ==
1) Verify that /usr/lib/shim/BOOTx64.CSV contains:
shimx64.efi,ubuntu,,This is the boot entry for Ubuntu
[Regression potential]
See the other closed bugs for this backport, which include their own test cases.
Shipping the BOOT$arch.CSV file alone has no risk of regression, it constitutes a single text file shipped in a location where it is not used; it is only contained in the backport to simplify keeping the shim-signed packages synchronized. |
|
2017-07-13 19:53:42 |
Steve Langasek |
description |
[Impact]
shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.
shim-signed also ships some additional bits that are useful to go along with the shim binary; and this is what is actually targetted on this SRU: shim itself does not change, but in the interest of making support as easy as possible, the supporting files shipped with it are also kept synchronized across releases.
These files are the following:
- an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
- a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).
[Test case]
See the other closed bugs for this backport, which include their own test cases.
== boot.csv ==
1) Verify that /usr/lib/shim/BOOTx64.CSV contains:
shimx64.efi,ubuntu,,This is the boot entry for Ubuntu
[Regression potential]
See the other closed bugs for this backport, which include their own test cases.
Shipping the BOOT$arch.CSV file alone has no risk of regression, it constitutes a single text file shipped in a location where it is not used; it is only contained in the backport to simplify keeping the shim-signed packages synchronized. |
[Impact]
shim-signed ships the signed shim$arch.efi binary that goes with the shim package available in each release, which should remain synchronized across all supported releases as to make sure the security sensitive binary can be appropriately supported.
shim-signed also ships some additional bits that are useful to go along with the shim binary; and this is what is actually targetted on this SRU: shim itself does not change, but in the interest of making support as easy as possible, the supporting files shipped with it are also kept synchronized across releases.
These files are the following:
- an apport hook, useful to let users report issues in updating the Boot Entries on their firmware, debugging upgrade issues, etc; and provides critical information about the system on which a bug is reported about the state of that system's EFI firmware: whether EFI validation is enabled, whether Secure Boot is enabled, whether it was properly started by the kernel;
- a BOOT$arch.CSV file, to be installed by grub2 if present, where grub2 has that feature (in artful only), or to be installed manually by the user if wanted. This file is a text file that provides the location of shim on a system when running the shim fallback binary (also not installed prior to artful).
[Test case]
See the other closed bugs for this backport, which include their own test cases.
== boot.csv ==
1) Verify that /usr/lib/shim/BOOTX64.CSV contains:
shimx64.efi,ubuntu,,This is the boot entry for Ubuntu
[Regression potential]
See the other closed bugs for this backport, which include their own test cases.
Shipping the BOOT$arch.CSV file alone has no risk of regression, it constitutes a single text file shipped in a location where it is not used; it is only contained in the backport to simplify keeping the shim-signed packages synchronized. |
|
2017-07-13 20:54:30 |
Steve Langasek |
shim-signed (Ubuntu Zesty): status |
New |
Fix Committed |
|
2017-07-13 20:54:32 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2017-07-13 20:54:37 |
Steve Langasek |
tags |
|
verification-needed verification-needed-zesty |
|
2017-07-13 21:03:13 |
Steve Langasek |
shim-signed (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-07-13 21:03:17 |
Steve Langasek |
tags |
verification-needed verification-needed-zesty |
verification-needed verification-needed-yakkety verification-needed-zesty |
|
2017-07-17 14:43:43 |
Steve Langasek |
nominated for series |
|
Ubuntu Xenial |
|
2017-07-17 14:43:43 |
Steve Langasek |
bug task added |
|
shim-signed (Ubuntu Xenial) |
|
2017-07-17 14:43:49 |
Steve Langasek |
shim-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-07-17 14:44:03 |
Steve Langasek |
tags |
verification-needed verification-needed-yakkety verification-needed-zesty |
verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
|
2017-07-17 14:52:00 |
Steve Langasek |
shim-signed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2017-07-17 14:52:03 |
Steve Langasek |
tags |
verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
verification-needed verification-needed-trusty verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
|
2017-07-19 16:16:04 |
Mathieu Trudel-Lapierre |
tags |
verification-needed verification-needed-trusty verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
verification-done-trusty verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
|
2017-07-20 19:16:05 |
Mathieu Trudel-Lapierre |
tags |
verification-done-trusty verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
verification-done-trusty verification-done-xenial verification-needed verification-needed-yakkety verification-needed-zesty |
|
2017-07-24 17:01:47 |
Mathieu Trudel-Lapierre |
tags |
verification-done-trusty verification-done-xenial verification-needed verification-needed-yakkety verification-needed-zesty |
verification-done-trusty verification-done-xenial verification-done-zesty verification-needed verification-needed-yakkety |
|
2017-07-28 00:46:31 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-07-28 00:46:47 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-28 00:47:07 |
Launchpad Janitor |
shim-signed (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-08-28 15:29:46 |
Launchpad Janitor |
shim-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2019-05-18 02:01:54 |
Mathew Hodson |
shim-signed (Ubuntu Yakkety): status |
Fix Committed |
Won't Fix |
|