[Bug 1229572] Re: backport SecureBoot support from 13.10 for 12.04.4

Launchpad Bug Tracker 1229572 at bugs.launchpad.net
Thu Nov 7 19:53:57 UTC 2013 

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~13.04.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~13.04.0) raring; urgency=low

  * Backport gnu-efi from saucy to raring to support new versions of
    shim.  LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <cjwatson at ubuntu.com> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.
 -- Steve Langasek <steve.langasek at ubuntu.com>   Tue, 24 Sep 2013 14:21:08 -0700

** Changed in: sbsigntool (Ubuntu Raring)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1229572

Title:
  backport SecureBoot support from 13.10 for 12.04.4

Status in “gnu-efi” package in Ubuntu:
  Invalid
Status in “sbsigntool” package in Ubuntu:
  Invalid
Status in “shim” package in Ubuntu:
  Invalid
Status in “shim-signed” package in Ubuntu:
  Invalid
Status in “gnu-efi” source package in Precise:
  Fix Released
Status in “sbsigntool” source package in Precise:
  Fix Released
Status in “shim” source package in Precise:
  Fix Released
Status in “shim-signed” source package in Precise:
  Fix Released
Status in “gnu-efi” source package in Quantal:
  Fix Released
Status in “sbsigntool” source package in Quantal:
  Fix Released
Status in “shim” source package in Quantal:
  Fix Released
Status in “shim-signed” source package in Quantal:
  Fix Released
Status in “gnu-efi” source package in Raring:
  Fix Released
Status in “sbsigntool” source package in Raring:
  Fix Released
Status in “shim” source package in Raring:
  Fix Released
Status in “shim-signed” source package in Raring:
  Fix Released

Bug description:
  This is a meta-bug for backporting SecureBoot support from 13.10 for
  12.04.4.  To fully update the SecureBoot stack for 12.04.4 and fix a
  number of outstanding bugs, we will have to update a number of
  packages:

   - gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
   - sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
   - shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
   - shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)

  We should also backport grub2 support for generating signed netboot
  images, but this can be handled as a separate bug report.

  [Impact]
  A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release.  The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming.  This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.

  [Test Case]
  1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux, elilo, shim, sbsigntool, and verify that they're buildable
  2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
  3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
  4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
  5. Install linux-signed-generic-lts-raring from precise-updates and verify that it works with the new sbsigntool
  6. Verify that linux-signed-lts-raring builds from source with the new sbsigntool

  [Regression Potential]
  This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable.  This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise.  There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572/+subscriptions

More information about the foundations-bugs mailing list