[Bug 1921539] Re: Add support for SBAT

Thu Apr 22 16:39:09 UTC 2021

$ wget http://archive.ubuntu.com/ubuntu/dists/groovy-proposed/main/uefi
/fwupd-amd64/1.4.7-0~20.10.1/fwupdx64.efi.signed

$ md5sum fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168  fwupdx64.efi.signed

$ objdump -h ./fwupdx64.efi.signed

./fwupdx64.efi.signed:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         000075c0  0000000000004000  0000000000004000  00000400  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc        0000000a  000000000000c000  000000000000c000  00007a00  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00002d68  000000000000d000  000000000000d000  00007c00  2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic      00000150  0000000000010000  0000000000010000  0000aa00  2**3
                  CONTENTS, ALLOC, LOAD, DATA
  4 .rela         00000e70  0000000000011000  0000000000011000  0000ac00  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt     00000018  0000000000011e70  0000000000011e70  0000bc70  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym       00000270  0000000000012000  0000000000012000  0000c000  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

The binary clearly does not have .sbat section, thus it will not be
trusted or booted by new shim in hirsute.

fwupd in hirsute does have .sbat section.

This SRU claims to add .sbat for the first time in groovy, but actually
does not. So it is ok to release this SRU in groovy, but we need a
follow up SRU to add sbat section for real.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

Status in OEM Priority Project:
  Confirmed
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  In Progress
Status in fwupd-signed source package in Bionic:
  In Progress
Status in fwupd source package in Focal:
  In Progress
Status in fwupd-signed source package in Focal:
  In Progress
Status in fwupd source package in Groovy:
  Fix Committed
Status in fwupd-signed source package in Groovy:
  Fix Committed
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region.  fwupd in bionic does not currently contain this region.

  [Test Case]
  Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

  [Regression Potential]
  This is moving to a new stable release in each of the series which is in bug fix only mode.  The sbat region is the only "feature" that has been backported to this series in over a year.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions