secureboot-db 2020 update

This bug was fixed in the package secureboot-db - 1.6

---------------
secureboot-db (1.6) groovy; urgency=medium

  * Ship MS 2020 split arch dbx updates. LP: #1890835
  * Add arm64 architecture.

 -- Dimitri John Ledkov <email address hidden> Fri, 24 Jul 2020 00:34:57 +0100

Apologies if this is completely not a thing, but I'm a bit worried about cases where people install the secureboot-db update but still have the old grub2 installed (as there is no breaks). Will that cause a problem? Since if I understand it (but I might be wrong), wouldn't they be unable to boot their systems anymore?

Reuploaded with breaks on versions of signed grubs less than those in the security pocket.

This however may introduce an inverse problem of attempting to either remove signed grub, or remove secureboot-db, to resolve the conflict if for some reason users prohibit upgrading the signed grub packages.

Hello Dimitri, or anyone else affected,

Accepted secureboot-db into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.6~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Dimitri, or anyone else affected,

Accepted secureboot-db into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Dimitri, or anyone else affected,

Accepted secureboot-db into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.4.1~ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Someone will have to poke the ESM team to take care of trusty.

Yes, ESM will be poked after other series release this.

Booted 20.04.1 ISO, in a 4k ovmf qemu KVM VM with secureboot MS keys and installed secureboot-db from focal-proposed, checking in journalctl that dbxupdate from 1.6~20.04.1 got applied.

Shut down the VM.

Attempted to boot 20.04 BETA iso, and it failed to boot with Verification failed Security Violation. Thus dbx update was correctly applied and vulnerable OS can no longer boot.

Slow phasing is merged and deployed now.

Publishing secureboot-db for focal-updates and focal-security. As discussed, this is fine to go to -security too as it the package is basically a 'pure data' package.

This bug was fixed in the package secureboot-db - 1.6~20.04.1

---------------
secureboot-db (1.6~20.04.1) focal; urgency=medium

  * Ship MS 2020 split arch dbx updates. LP: #1890835
  * Add arm64 architecture.
  * Add breaks on grub-efi-$arch-signed less than security pocket.

 -- Dimitri John Ledkov <email address hidden> Fri, 24 Jul 2020 00:34:57 +0100

The verification of the Stable Release Update for secureboot-db has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

"Yes, ESM will be poked after other series release this."

Dimitri - do we plan to respin trusty media with the upgraded grub?

The focal SRU has been rolled back for the time being from focal-updates to focal-proposed, due to compatibility concerns with current Fedora.

They will be re-released at a later date. For the time being I am marking verification-failed to block promotion, but this does not mean they should be removed from -proposed.

Based on comment #15, I assume the same deb will be released again to focal-updates, Ubuntu only roll it back to focal-proposed to provide Feodra community has more time to address the problem.

If it's an Ubuntu only machines, users are free and allowed to use the same deb right now.

Removed the verification-failed tags so that this bug doesn't show up in the -proposed cleanup report of packages to remove from -proposed.

A newer dbx update has been published, thus this version should not go out to updates & security.
The new update requires SBAT capable shim, which is in progress being rolled out at the moment.

The version of secureboot-db in the proposed pocket of Bionic that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

The version of secureboot-db in the proposed pocket of Focal that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

The version of secureboot-db in the proposed pocket of Xenial that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.