[Bug 1229572] Re: backport SecureBoot support from 13.10 for 12.04.4

Stéphane Graber stgraber at stgraber.org
Thu Nov 7 18:15:36 UTC 2013 

Confirmed the new shim-signed boots on precise.

** Tags added: verification-done-precise

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1229572

Title:
  backport SecureBoot support from 13.10 for 12.04.4

Status in “gnu-efi” package in Ubuntu:
  Invalid
Status in “sbsigntool” package in Ubuntu:
  Invalid
Status in “shim” package in Ubuntu:
  Invalid
Status in “shim-signed” package in Ubuntu:
  Invalid
Status in “gnu-efi” source package in Precise:
  Fix Released
Status in “sbsigntool” source package in Precise:
  Fix Released
Status in “shim” source package in Precise:
  Fix Released
Status in “shim-signed” source package in Precise:
  Fix Released
Status in “gnu-efi” source package in Quantal:
  Fix Committed
Status in “sbsigntool” source package in Quantal:
  Fix Committed
Status in “shim” source package in Quantal:
  Fix Committed
Status in “shim-signed” source package in Quantal:
  Fix Committed
Status in “gnu-efi” source package in Raring:
  Fix Committed
Status in “sbsigntool” source package in Raring:
  Fix Committed
Status in “shim” source package in Raring:
  Fix Committed
Status in “shim-signed” source package in Raring:
  Fix Committed

Bug description:
  This is a meta-bug for backporting SecureBoot support from 13.10 for
  12.04.4.  To fully update the SecureBoot stack for 12.04.4 and fix a
  number of outstanding bugs, we will have to update a number of
  packages:

   - gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
   - sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
   - shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
   - shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)

  We should also backport grub2 support for generating signed netboot
  images, but this can be handled as a separate bug report.

  [Impact]
  A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release.  The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming.  This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.

  [Test Case]
  1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux, elilo, shim, sbsigntool, and verify that they're buildable
  2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
  3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
  4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
  5. Install linux-signed-generic-lts-raring from precise-updates and verify that it works with the new sbsigntool
  6. Verify that linux-signed-lts-raring builds from source with the new sbsigntool

  [Regression Potential]
  This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable.  This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise.  There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572/+subscriptions

More information about the foundations-bugs mailing list