[Bug 1921134] Re: SBAT shim 15.4 release
** Changed in: oem-priority Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This bug was fixed in the package shim-signed - 1.37~18.04.10 --- shim-signed (1.37~18.04.10) bionic; urgency=medium * Remove unnecessary efitools dependency that prevented build on arm64 shim-signed (1.37~18.04.9) bionic; urgency=medium * New upstream release 15.4. LP: #1921134 * Synchronize packaging with 1.50, summary - Update packaging to pull fb and mm from shim-signed package as in later releases, dropping the runtime dependency on shim. - Add download-signed script from linux-signed package - Include reworked Makefile from devel to better assert the integrity of the executables. - Dual-signed shim - Set XB-Important: yes on shim-signed package so that it cannot be removed by accident (LP: #1898729) - download-signed: Fetch signed artefacts from versioned URL instead of current/ symlink to work around caching (LP: #1936640) * Update to shim 15.4-0ubuntu5: - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This is causing systems to run out of EFI storage space, or just hang up when trying to write it (LP: #1924605) (LP: #1928434) - Further relax the check for variable mirroring on non-secureboot systems avoiding boot failures on out of space conditons (pull request #372) - Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136) (pull request #378) * Update to shim 15.4-0ubuntu7: - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379) - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383) - Fix accidental deletion of RT variables (LP: #1934506) (PR #387) - mok: relax the maximum variable size check (LP: #1934780) (PR #369) -- Julian Andres Klode Mon, 19 Jul 2021 17:01:19 +0200 ** Changed in: shim-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Actually, the previous comment was for bionic this time. 1.37~18.04.10 / 15.4-0ubuntu7. fwupd loading has been tested in the fwupd sbat test case ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Most tests from focal and newer are valid on xenial too, as the binaries are the same. I hence just verified the interaction with xenial's mokutil and kernel keyring: * Tested enrolling MOK and modprobing vboxdrv module * Tested timeout and reset, modprobe after reset failed to find the key, as it should -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Tags removed: block-proposed-bionic ** Tags removed: block-proposed-groovy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This bug was fixed in the package shim-signed - 1.33.1~16.04.10 --- shim-signed (1.33.1~16.04.10) xenial; urgency=medium * Update to shim 15.4-0ubuntu7: - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379) - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383) - Fix accidental deletion of RT variables (LP: #1934506) (PR #387) - mok: relax the maximum variable size check (LP: #1934780) (PR #369) shim-signed (1.33.1~16.04.9) xenial; urgency=medium * Do not build a dual-signed shim (fixing regression from ~16.04.7), and disable verifying fbx64.efi and mmx64.efi certificates as xenial's sbverify is unable to (impish works fine) * Clean up debhelper log file accidentally imported into git during 16.04.7 import. shim-signed (1.33.1~16.04.8) xenial; urgency=medium * debian/*.postinst: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. * Update to shim 15.4-0ubuntu5: - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This is causing systems to run out of EFI storage space, or just hang up when trying to write it (LP: #1924605) (LP: #1928434) - Further relax the check for variable mirroring on non-secureboot systems avoiding boot failures on out of space conditons (pull request #372) - Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136) (pull request #378) shim-signed (1.33.1~16.04.7) xenial; urgency=medium * New upstream release 15.4. LP: #1921134 * Update packaging to pull fb and mm from shim-signed package as in later releases, dropping the runtime dependency on shim. * Add download-signed script from linux-signed package * Add a versioned dependency on the mokutil that introduces --timeout, and call mokutil --timeout -1 so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422. * Add versioned dependencies on grub-efi-amd64-signed and grub2-common, to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible grub-install present when we are installing new shim to the ESP. * Include reworked Makefile from devel to better assert the integrity of the executables. -- Julian Andres Klode Fri, 16 Jul 2021 13:04:57 +0200 ** Changed in: shim-signed (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Changed in: oem-priority Assignee: Yuan-Chen Cheng (ycheng-twn) => (unassigned) ** Changed in: oem-priority Assignee: (unassigned) => Yuan-Chen Cheng (ycheng-twn) ** Changed in: oem-priority Importance: Critical => Medium ** Changed in: oem-priority Status: In Progress => Confirmed ** Changed in: oem-priority Assignee: Yuan-Chen Cheng (ycheng-twn) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This bug was fixed in the package shim-signed - 1.40.6 --- shim-signed (1.40.6) focal; urgency=medium * Update to shim 15.4-0ubuntu7: - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379) - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383) - Fix accidental deletion of RT variables (LP: #1934506) (PR #387) - mok: relax the maximum variable size check (LP: #1934780) (PR #369) * download-signed: Fetch signed artefacts from versioned URL instead of current/ symlink to work around caching (LP: #1936640) shim-signed (1.40.5) focal; urgency=medium * New upstream release 15.4. LP: #1921134 * Synchronize packaging with 1.48, summary - Update packaging to pull fb and mm from shim-signed package as in later releases, dropping the runtime dependency on shim. - Add download-signed script from linux-signed package - Include reworked Makefile from devel to better assert the integrity of the executables. - Dual-signed shim - Set XB-Important: yes and Protected: yes on shim-signed package so that it cannot be removed by accident (LP: #1898729) * Update to shim 15.4-0ubuntu5: - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This is causing systems to run out of EFI storage space, or just hang up when trying to write it (LP: #1924605) (LP: #1928434) - Further relax the check for variable mirroring on non-secureboot systems avoiding boot failures on out of space conditons (pull request #372) - Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136) (pull request #378) -- Julian Andres Klode Fri, 16 Jul 2021 13:33:00 +0200 ** Changed in: shim-signed (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Most tests from focal and newer are valid on xenial too, as the binaries are the same. I hence just verified the interaction with xenial's mokutil and kernel keyring: * Tested enrolling MOK and modprobing vboxdrv module * Tested timeout and reset, modprobe after reset failed to find the key, as it should ** Tags removed: block-proposed-xenial verification-needed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Verified the shim on focal. * xnox verified windows booting on hirsute, binaries are same * I verified maas style chained netbooting * Verified the interactions with mokutil + Verified loading dkms modules + Verified end2end IRL boot on ThinkPad X230 with ZFS - Did not verify actual Maas boot, but confident enough that we have checked 15.4 shim for that and the additional patches are not going to break it - Did not check fwupd, fwupd focal SRU needs to be accepted to. Checked that the load option parsing is correct for that purpose on our side - Did not chainload other distros due to lack of such distros in my VM setups, but given that windows and shim chainloading works, happy enough. People can still boot other distros via UEFI menu anyway, we should phase out chainloading them. ** Tags removed: block-proposed-focal verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Changed in: oem-priority Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Hello Dimitri, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done-xenial ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Hello Dimitri, or anyone else affected, Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.37~18.04.9 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
While that is true, we also discovered another regression yesterday which breaks booting on real hardware: In bug 1934780, we discovered that Mellanox BF1 SmartNic do not support querying variable storage info, and hence fail to boot. SUSE discovered similar issues. I don't think this is ready for releasing yet, and we need another shim. ** Tags added: block-proposed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
> It turns out that while there is no signed *fwupd* on xenial, there is a > signed *fwupdate*, so releasing this update would break firmware > updating after all :/ Not a blocker. fwupdate is obsolete, cannot be trivially migrated to fwupd (the SRU of fwupd-signed in bionic was quite painful), and already lacks support for a lot of relevant firmware updates. On behalf of the SRU team, I had already taken the decision to allow fwupdate-signed to regress in xenial in favor of continued SecureBoot support. ** Tags removed: block-proposed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
It turns out that while there is no signed *fwupd* on xenial, there is a signed *fwupdate*, so releasing this update would break firmware updating after all :/ ** Tags added: block-proposed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
I tried installing the new shim package on a second system that also had Oracle Virtualbox 6.1 installed and didn't encounter the same issue on this system. I then tried upgrading the first system again after first uninstalling Virtualbox. This time there were no issues after the upgrade. I then reinstalled Oracle Virtualbox 6.1 on this system that prompted the installation of a new MOK. After registering the new key on a reboot everything is working fine now. I'm guessing there was some MOK issue specific to the system that was causing the issue, which was solved by a reinstallation of Virtualbox. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
I don't see any relevant changes in the shim userspace bits in the focal update, and I can't speak to what Oracle does or does not do with their packages. Certainly trying to compile the modules and install them, setting up MOK, during boot like that is not going to work. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
After installing shim-15.4-0ubuntu5 and shim-signed-1.40.5+15.4-0ubuntu5 on focal and rebooting, I noticed my /var/log/syslog was being flooded with the following messages from vboxdrv.sh: Jun 28 21:33:52 ... vboxdrv.sh[7701]: Enter a password for Secure Boot. It will be asked again after a reboot. Jun 28 21:33:52 ... vboxdrv.sh[7701]: Enter the same password again to verify you have typed it correctly. Jun 28 21:33:52 ... vboxdrv.sh[7701]: Invalid password Jun 28 21:33:52 ... vboxdrv.sh[7701]: The Secure Boot key you've entered is not valid. The password used must be Jun 28 21:33:52 ... vboxdrv.sh[7701]: between 8 and 16 characters. It doesn't look like the shim update plays nice with Virtualbox-6.1 installed from the Oracle repo. Reverting back to the focal-updates version fixes the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
I had already checked the various chainbooting thingies for newer releases, and the binaries are the same, so for xenial, I have validated the mokutil integration and everything worked as expected with 1.33.1~16.04.9 ** Tags removed: verification-needed-xenial ** Tags added: verification-done-xenial ** Tags removed: block-proposed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Hello Dimitri, or anyone else affected, Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.5 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Hello Dimitri, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.7 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This is a false-positive for the SRU due to the binary copy of shim 1.47 from impish to hirsute-proposed. It has already been fixed in hirsute release, there is no change here and no need for an SRU verification. ** Changed in: shim-signed (Ubuntu Hirsute) Status: Fix Committed => Fix Released ** Tags removed: verification-needed-hirsute ** Tags added: verification-done-hirsute ** Tags removed: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
Hello Dimitri, or anyone else affected, Accepted shim-signed into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.47 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Hirsute) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Changed in: oem-priority Assignee: (unassigned) => Yuan-Chen Cheng (ycheng-twn) ** Changed in: oem-priority Status: New => Confirmed ** Changed in: oem-priority Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This bug was fixed in the package shim-signed - 1.46 --- shim-signed (1.46) hirsute; urgency=medium * New upstream release 15.4 LP: #1921134 * Ship fb & mm from shim-signed package. * Remove shim-canonical-unsigned dependency, now provided by shim itself. * Generalize attaching externally supplied signatures, to aid building with embargoed or MS external signatures. -- Dimitri John Ledkov Wed, 24 Mar 2021 12:40:28 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
This bug was fixed in the package shim - 15.4-0ubuntu1 --- shim (15.4-0ubuntu1) hirsute; urgency=medium [ Dimitri John Ledkov ] * New upstream release 15.4 LP: #1921134 - Update the commit hash in debian/rules * debian/rules: add request to sign EFI binaries with archive signing key. * debian/rules: stop using ENABLE_SHIM_CERT=1. * debian/rules: add canonical 2021 DBX. * deiban/rules: start using DISABLE_EBS_PROTECTION=1 to allow chainloading shim to shim, and shim to kernel.efi. * Add shim-dbg package, skip stripping files. * Update watch file, now uscan can generate new upstream tarballs. * Upgrade to debhelper 12. * Drop gnu-efi build-dep, now vendored upstream. * Add debian/rules target to generate gnu-efi components. * Do not clean gnu-efi Makefile.orig * Remove fallback 5s delay with TPM. LP: #1922581 * Add xxd build-dep to run unittests. [ Chris Coulson ] * Drop patches that are fixed upstream: - debian/patches/Fix-OBJ_create-to-tolerate-a-NULL-sn-and-ln.patch - debian/patches/MokManager-avoid-unaligned.patch - debian/patches/tpm-correctness-1.patch - debian/patches/tpm-correctness-2.patch - debian/patches/tpm-correctness-3.patch - debian/patches/MokManager-hidpi-support.patch - debian/patches/fix-path-checks.patch * Drop the ENABLE_HTTPBOOT option - this is always built now. - update debian/rules * Add vendor SBAT metadata to shim. - add debian/sbat.ubuntu.csv.in - update debian/rules * Add vendor dbx esl to include-binaries * Build-depend on dos2unix - update debian/control -- Dimitri John Ledkov Wed, 24 Mar 2021 11:32:25 + ** Changed in: shim (Ubuntu) Status: Confirmed => Fix Released ** Changed in: shim-signed (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Tags removed: block-proposed-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Tags added: block-proposed-hirsute ** Tags added: block-proposed-bionic block-proposed-focal block- proposed-groovy block-proposed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Tags added: oem-priority -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Changed in: shim (Ubuntu) Status: New => Confirmed ** Changed in: shim-signed (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Also affects: oem-priority Importance: Undecided Status: New ** Tags added: fwupd ** Tags added: sbat -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1921134] Re: SBAT shim 15.4 release
** Summary changed: - SBAT shim 15.3 release + SBAT shim 15.4 release ** Description changed: [Impact] - * New upstream shim release 15.3 + * New upstream shim release 15.4 * It includes and enforces SBAT validation [Test Plan] * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan [Where problems could occur] * Upgrading to new shim, without upgrading to the new grub with sbat will fail to boot, as grub must include SBAT section. * Upgrading to new shim, without upgrading to the new fwupdate with sbat will fail to boot, as fwupdate must include SBAT section. [Other Info] * All patches are dropped, as all got included in the v15.3 upstream release * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims - * This upload obsoletes shim-signed-canonical package + * This upload obsoletes shim-signed-canonical package -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.4 release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
