[Bug 1229572] Please test proposed package
Steve Langasek
steve.langasek at canonical.com
Thu Nov 7 18:06:19 UTC 2013
Hello Steve, or anyone else affected,
Accepted shim-signed into raring-proposed. The package will build now
and be available at http://launchpad.net/ubuntu/+source/shim-
signed/1.4.0~ubuntu13.04.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed. Your feedback will aid us getting this update
out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1229572
Title:
backport SecureBoot support from 13.10 for 12.04.4
Status in “gnu-efi” package in Ubuntu:
Invalid
Status in “sbsigntool” package in Ubuntu:
Invalid
Status in “shim” package in Ubuntu:
Invalid
Status in “shim-signed” package in Ubuntu:
Invalid
Status in “gnu-efi” source package in Precise:
Fix Committed
Status in “sbsigntool” source package in Precise:
Fix Committed
Status in “shim” source package in Precise:
Fix Committed
Status in “shim-signed” source package in Precise:
Fix Committed
Status in “gnu-efi” source package in Quantal:
Fix Committed
Status in “sbsigntool” source package in Quantal:
Fix Committed
Status in “shim” source package in Quantal:
Fix Committed
Status in “shim-signed” source package in Quantal:
Fix Committed
Status in “gnu-efi” source package in Raring:
Fix Committed
Status in “sbsigntool” source package in Raring:
Fix Committed
Status in “shim” source package in Raring:
Fix Committed
Status in “shim-signed” source package in Raring:
Fix Committed
Bug description:
This is a meta-bug for backporting SecureBoot support from 13.10 for
12.04.4. To fully update the SecureBoot stack for 12.04.4 and fix a
number of outstanding bugs, we will have to update a number of
packages:
- gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
- sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
- shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
- shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)
We should also backport grub2 support for generating signed netboot
images, but this can be handled as a separate bug report.
[Impact]
A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release. The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming. This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.
[Test Case]
1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux, elilo, shim, sbsigntool, and verify that they're buildable
2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
5. Install linux-signed-generic-lts-raring from precise-updates and verify that it works with the new sbsigntool
6. Verify that linux-signed-lts-raring builds from source with the new sbsigntool
[Regression Potential]
This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable. This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise. There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572/+subscriptions
More information about the foundations-bugs
mailing list