** Description changed: The following bugs was addressed in the secboot project, which requires snapd to update the vendored revision on secboot: - - https://github.com/canonical/secboot/pull/535 + - Access to the HFSTS registers via the HECI is not possible on systems + that use Intel's High Assurance Platform mode. The startup ACM mirrors + some BootGuard policy settings to a MSR so this can be checked as a + workaround. This is a partial fix. - Access to the HFSTS registers via the HECI is not possible on systems - that use Intel's High Assurance Platform mode. This means that we can't - check the BootGuard policy. However, the startup ACM mirrors some - BootGuard policy settings to a MSR, so we can check this as a fallback - in this case. + - Permit pre-OS application launches from SPI flash in PCR4. Fixes: + * PCR_UNUSABLE on hardware (intel xeon + nvidia) secboot#509 + * FR-12927 - - https://github.com/canonical/secboot/pull/534 + - Relax recovery key parsing. Rather than permitting each group of 5 digits + be separated by an optional '-', just permit an arbitrary number of '-' or + whitespace characters instead. Fixes: + * FR-11924 - Only check for the existence of an authorization policy for the lockout - hierarchy if it has an authorization value. In this case, the presence - of a policy is presented in the error message as additional information. - We take ownerhip of the lockout hierarchy in - tpm2.Connection.EnsureProvisioned, and for now, this function will clear - any policy before the authorization value is set. A subsequent PR will - set a more appropriate policy based on the requirement to be able to - rotate the authorization value safely during reprovisioning + - Do not fail preinstall check due to lack of TPM_CAP_AUTH_POLICIES. Fixes: + * efi/preinstall: TPM_CAP_AUTH_POLICIES is not supported on TPMs that implement < v1.38 of the TCG reference spec secboot#408 + + - The PCR4 and PCR7 checks were relying on the BootCurrent EFI variable to + identify the EV_EFI_BOOT_SERVICES_APPLICATION. Instead, assume that the + first OS-present EV_EFI_BOOT_SERVICES_APPLICATION event that isn't Absolute + is the initial OS loader. Fixes: + * PCR_UNUSABLE error with secure boot policy (PCR7) secboot#517 + * cannot access EFI_VARIABLE on hardware (AMD Ryzen AI 5) secboot#519
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2147645 Title: Snapd secboot update to fix TPM/FDE bugs for Resolute installer To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2147645/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
