2021-04-20 08:32:25 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2021-04-20 08:35:49 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~xnox/shim/+git/shim/+merge/401454 |
|
2021-04-30 16:49:40 |
Launchpad Janitor |
shim (Ubuntu): status |
New |
Fix Released |
|
2021-05-06 16:25:40 |
Łukasz Zemczak |
shim (Ubuntu Hirsute): status |
New |
Fix Committed |
|
2021-05-06 16:25:41 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-05-06 16:25:43 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2021-05-06 16:25:45 |
Łukasz Zemczak |
tags |
|
verification-needed verification-needed-hirsute |
|
2021-05-11 19:11:52 |
Dimitri John Ledkov |
description |
shim supports disabling validation using shim specific variable, whilst keeping the firmware secureboot on.
The state for it, is currently incorrectly parsed on Ubuntu, and thus error message is not printed that machine is booting without signature verification by shim.
please pull in fix https://github.com/rhboot/shim/pull/362/files |
shim supports disabling validation using shim specific variable, whilst keeping the firmware secureboot on.
The state for it, is currently incorrectly parsed on Ubuntu, and thus error message is not printed that machine is booting without signature verification by shim.
please pull in fix https://github.com/rhboot/shim/pull/362/files
[Impact]
* There is upstream bug report that prevents booting systems, when mokutil --disable-validation is set.
* It only impacts shims that are built with ExitBootService check in place
* In Ubuntu, we build shim with ExitBootServices check disabled, therefore we were not affected by this issue directly. But it was felt that no new shims would be signed unless this patch is included as a bugfix.
[Test Plan]
* Boot with Secureboot on, and mokutil validation on everything should boot
* Turn Secureboot off, everything should boot
* Turn Secureboot on, but turn mokutil validation off, evernthing should still boot.
* Note that the above would have failed with 15.4-0buntu1 shim, had we not built it with disabling ExitBootServices, so this is not a regression, but to ensure that the included bugfix is correct and doesn't regress things it claims to keep working. As otherwise no ubuntu shims have been affected by the upstream issue in question.
[Where problems could occur]
* The areas that could regress with this patch are validated in the Test plan.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance |
|
2021-05-11 19:13:44 |
Steve Langasek |
tags |
verification-needed verification-needed-hirsute |
verification-done verification-done-hirsute |
|
2021-05-11 19:14:07 |
Launchpad Janitor |
shim (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
2021-05-11 19:14:36 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-05-14 10:57:28 |
Łukasz Zemczak |
shim (Ubuntu Xenial): status |
New |
Fix Committed |
|
2021-05-14 10:57:30 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-05-14 10:57:34 |
Łukasz Zemczak |
tags |
verification-done verification-done-hirsute |
verification-done-hirsute verification-needed verification-needed-xenial |
|
2021-06-28 09:06:46 |
Julian Andres Klode |
tags |
verification-done-hirsute verification-needed verification-needed-xenial |
verification-done verification-done-hirsute verification-done-xenial |
|
2021-08-16 10:30:11 |
Launchpad Janitor |
shim (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|