[Bug 1229572] Re: backport SecureBoot support from 13.10 for 12.04.4

Launchpad Bug Tracker 1229572 at bugs.launchpad.net
Thu Nov 7 19:53:23 UTC 2013


This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~12.10.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~12.10.0) quantal; urgency=low

  * Backport gnu-efi from saucy to quantal to support new versions of
    shim.  LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <cjwatson at ubuntu.com> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.

gnu-efi (3.0s+debian-1ubuntu2) raring; urgency=low

  * Restore -fno-stack-protector; this is needed to build packages linked
    against gnu-efi, such as efilinux.  This change is now in a patch with a
    header explaining the reasoning, to try to avoid it being dropped in
    future.

gnu-efi (3.0s+debian-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable, dropped changes:
    - gnuefi/elf_x86_64_efi.lds: align the .reloc section; merged upstream.
    - Build with -fno-stack-protector; no longer needed.
  * debian/rules: past architecture arguments when building the x86_64 code on
    i386; otherwise the upstream build system wrongly assumes that if uname
    says x86_64, it doesn't have to pass -m64 to the compiler.

gnu-efi (3.0s+debian-1) unstable; urgency=low

  * Merging upstream version 3.0s+debian.

gnu-efi (3.0r+debian-1) experimental; urgency=low

  * Merging upstream version 3.0r+debian (Closes: #637276, #679627):
    - Rebuilding upstream tarball without debian directory.
  * Removing useless whitespaces at EOL and EOF.
  * Updating package to debhelper version 9.
  * Updating package to standards version 3.9.4.
  * Making build-depends on binutils unversioned, already fulfilled by
    wheezy.
  * Sorting architectures in gcc-multilib build-depends alphabetically.
  * Wrapping build-depends to 80 chars per line.
  * Adding homepage field.
  * Sorting architectures field alphabetically.
  * Removing pre-wheezy conflicts on libc6-i386.
  * Removing French spacing in package long-description.
  * Rewriting copyright file in copyright-format version 1.0.
  * Prefixing debhelper files with package name.
  * Simplifying debhelper docs file by using wildcard.
  * Removing watch file.
  * Reorganizing rules file in minimized debhelper form.
  * Switching to source format 3.0 (quilt).
  * Switching to xz compression.
  * Adding todo file.

gnu-efi (3.0i-4) unstable; urgency=low

  * Updating maintainers and uploaders fields:
    - Removing Julien from uploaders, he resigned from the project
      (Closes: #688546).
    - Removing Bdale from uploaders as he wished.
    - Adding myself as maintainer.
 -- Steve Langasek <steve.langasek at ubuntu.com>   Tue, 24 Sep 2013 14:21:08 -0700

** Changed in: gnu-efi (Ubuntu Quantal)
       Status: Fix Committed => Fix Released

** Changed in: sbsigntool (Ubuntu Quantal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1229572

Title:
  backport SecureBoot support from 13.10 for 12.04.4

Status in “gnu-efi” package in Ubuntu:
  Invalid
Status in “sbsigntool” package in Ubuntu:
  Invalid
Status in “shim” package in Ubuntu:
  Invalid
Status in “shim-signed” package in Ubuntu:
  Invalid
Status in “gnu-efi” source package in Precise:
  Fix Released
Status in “sbsigntool” source package in Precise:
  Fix Released
Status in “shim” source package in Precise:
  Fix Released
Status in “shim-signed” source package in Precise:
  Fix Released
Status in “gnu-efi” source package in Quantal:
  Fix Released
Status in “sbsigntool” source package in Quantal:
  Fix Released
Status in “shim” source package in Quantal:
  Fix Released
Status in “shim-signed” source package in Quantal:
  Fix Released
Status in “gnu-efi” source package in Raring:
  Fix Released
Status in “sbsigntool” source package in Raring:
  Fix Released
Status in “shim” source package in Raring:
  Fix Released
Status in “shim-signed” source package in Raring:
  Fix Released

Bug description:
  This is a meta-bug for backporting SecureBoot support from 13.10 for
  12.04.4.  To fully update the SecureBoot stack for 12.04.4 and fix a
  number of outstanding bugs, we will have to update a number of
  packages:

   - gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
   - sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
   - shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
   - shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)

  We should also backport grub2 support for generating signed netboot
  images, but this can be handled as a separate bug report.

  [Impact]
  A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release.  The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming.  This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.

  [Test Case]
  1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux, elilo, shim, sbsigntool, and verify that they're buildable
  2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
  3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
  4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
  5. Install linux-signed-generic-lts-raring from precise-updates and verify that it works with the new sbsigntool
  6. Verify that linux-signed-lts-raring builds from source with the new sbsigntool

  [Regression Potential]
  This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable.  This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise.  There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572/+subscriptions



More information about the foundations-bugs mailing list