[Bug 1790724] Re: Backport shim 15+1533136590.3beb971-0ubuntu1 to all supported releases

Brian Murray brian at ubuntu.com
Tue Dec 11 22:55:34 UTC 2018 

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.33.1~16.04.3 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags removed: verification-failed-xenial
** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1790724

Title:
  Backport shim 15+1533136590.3beb971-0ubuntu1 to all supported releases

Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in shim source package in Xenial:
  Fix Committed
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim source package in Bionic:
  Fix Released
Status in shim-signed source package in Bionic:
  Fix Released
Status in shim source package in Cosmic:
  Fix Released
Status in shim-signed source package in Cosmic:
  Fix Released

Bug description:
  [Impact]
  All UEFI users.

  [Test case]

  Verify that LP: #1792575 in grub has been fixed first for the corresponding release.
  == shim ==
  1) Enable Secure Boot in firmware.
  2) Update to new shim and shim-signed packages (shim 15+, shim-signed 1.37~)
  3) Validate that the system still boots and validates the shim image as well as the grub binary.

  == MokManager ==
  0) Generate a new self-signed certificate. You can use "sudo update-secureboot-policy --new-mok" for that purpose, the DER file will be in /var/lib/shim-signed/mok.
  1) Run 'sudo mokutil --enable-validation'
  2) Follow prompts on screen to enable validation if applicable.
  3) Run 'sudo mokutil --import <certificate.der>'
  4) Follow the prompts on screen to import a new certificate.
  5) Reboot
  6) Follow prompts to import the new certificate and enable validation.
  7) Validate that the system boots all the way to userland.
  8) Verify that the certificate has been correctly imported, it should be listed in the output of 'sudo mokutil --list-enrolled'.

  == mokutil ==
  1) Run 'sudo mokutil --timeout 14' (or any other arbitrary value).
  2) follow the steps for MokManager tests above.
  3) Validate that the MokManager prompt happens and shows a timeout appropriate for the timeout value set using the mokutil command.

  Also validate 'mokutil --timeout -1' works correctly, where the
  MokManager never times out.

  [Regression potential]
  Possible regressions might include failure to load shim or MokManager, or failure to validate an EFI binary (which usually translates in a Security Violation message. Any such issues should be investigated as possible regressions caused by this update.

  ---

  Backport shim to all supported releases of Ubuntu.

  Include mokutil changes to support new timeout feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1790724/+subscriptions

More information about the foundations-bugs mailing list