[Bug 2015664] [NEW] backport needed to enable users to reset SBAT level

Steve Langasek 2015664 at bugs.launchpad.net
Sun Apr 9 03:09:42 UTC 2023 

Public bug reported:

After installing the most recent point releases of Ubuntu (Ubuntu
20.04.6, 22.04.2, or 23.04 beta), if the user has SecureBoot enabled
(which is definitely recommended on UEFI systems) they will subsequently
be unable to boot older OS install media which has not bumped its SBAT
level since December 2022.

While this is the correct default security policy as explained at
https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996,
users also need to be able to have control over their SBAT level so that
they have the choice to downgrade the security level and boot other
install media (up to and including older ESM-supported Ubuntu releases
for which no updated media will be issued).

In order to clear the SBAT level recorded in firmware, we need an
updated version of mokutil corresponding to the shim which has been
backported in these releases.

** Affects: mokutil (Ubuntu)
     Importance: High
         Status: New

** Affects: mokutil (Ubuntu Focal)
     Importance: High
         Status: New

** Affects: mokutil (Ubuntu Jammy)
     Importance: High
         Status: New


** Tags: fr-4055

** Changed in: mokutil (Ubuntu)
   Importance: Undecided => High

** Tags added: fr-4055

** Also affects: mokutil (Ubuntu Jammy)
   Importance: Undecided
       Status: New

** Also affects: mokutil (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: mokutil (Ubuntu Focal)
   Importance: Undecided => High

** Changed in: mokutil (Ubuntu Jammy)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/2015664

Title:
  backport needed to enable users to reset SBAT level

Status in mokutil package in Ubuntu:
  New
Status in mokutil source package in Focal:
  New
Status in mokutil source package in Jammy:
  New

Bug description:
  After installing the most recent point releases of Ubuntu (Ubuntu
  20.04.6, 22.04.2, or 23.04 beta), if the user has SecureBoot enabled
  (which is definitely recommended on UEFI systems) they will
  subsequently be unable to boot older OS install media which has not
  bumped its SBAT level since December 2022.

  While this is the correct default security policy as explained at
  https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996,
  users also need to be able to have control over their SBAT level so
  that they have the choice to downgrade the security level and boot
  other install media (up to and including older ESM-supported Ubuntu
  releases for which no updated media will be issued).

  In order to clear the SBAT level recorded in firmware, we need an
  updated version of mokutil corresponding to the shim which has been
  backported in these releases.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/2015664/+subscriptions

More information about the foundations-bugs mailing list