[Bug 1921134] Re: SBAT shim 15.4 release

Harm van Bakel 1921134 at bugs.launchpad.net
Tue Jun 29 01:59:54 UTC 2021 

After installing shim-15.4-0ubuntu5 and shim-signed-1.40.5+15.4-0ubuntu5
on focal and rebooting, I noticed my /var/log/syslog was being flooded
with the following messages from vboxdrv.sh:

Jun 28 21:33:52 ... vboxdrv.sh[7701]: Enter a password for Secure Boot. It will be asked again after a reboot.
Jun 28 21:33:52 ... vboxdrv.sh[7701]: Enter the same password again to verify you have typed it correctly.
Jun 28 21:33:52 ... vboxdrv.sh[7701]: Invalid password
Jun 28 21:33:52 ... vboxdrv.sh[7701]: The Secure Boot key you've entered is not valid. The password used must be
Jun 28 21:33:52 ... vboxdrv.sh[7701]: between 8 and 16 characters.

It doesn't look like the shim update plays nice with Virtualbox-6.1
installed from the Oracle repo. Reverting back to the focal-updates
version fixes the issue.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Committed
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list