[Bug 1921134] Re: SBAT shim 15.4 release

Launchpad Bug Tracker 1921134 at bugs.launchpad.net
Mon Aug 2 19:46:16 UTC 2021 

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4.  LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 16 Jul 2021 13:33:00
+0200

** Changed in: shim-signed (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in OEM Priority Project:
  In Progress
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Released
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list