[Bug 2004208] Re: arm64 package has hardcoded x64 references

Thu Feb 16 10:47:58 UTC 2023

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <juliank at ubuntu.com>  Tue, 31 Jan 2023 12:57:37
+0100

** Changed in: shim-signed (Ubuntu Kinetic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28737

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2004208

Title:
  arm64 package has hardcoded x64 references

Status in canonical-signing-jobs:
  Fix Released
Status in canonical-signing-jobs task00 series:
  Fix Released
Status in canonical-signing-jobs task01 series:
  Fix Released
Status in canonical-signing-jobs task02 series:
  Fix Released
Status in canonical-signing-jobs task03 series:
  Fix Released
Status in shim-signed package in Ubuntu:
  New
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Committed
Status in shim-signed source package in Jammy:
  Fix Committed
Status in shim-signed source package in Kinetic:
  Fix Released

Bug description:
  [Impact] 
  I couldn't figure out why the alternative wasn't being updated to the new shim after I installed a kernel installed w/ a 2022 key. Turns out its because we hardcode shim*x64* in the kernel hook:

  ubuntu at ubuntu:~$ grep x64 /etc/kernel/postinst.d/zz-shim
  if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then

  There also seems to be a number of residual x64 references in the postinst:
  ubuntu at ubuntu:~$ grep x64 /var/lib/dpkg/info/shim-signed.*
  /var/lib/dpkg/info/shim-signed.postinst:	for efi_arch in x64 aa64; do
  /var/lib/dpkg/info/shim-signed.postinst:			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100
  /var/lib/dpkg/info/shim-signed.postinst:			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50
  /var/lib/dpkg/info/shim-signed.postinst:			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50
  /var/lib/dpkg/info/shim-signed.postinst:			update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shimx64.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100
  /var/lib/dpkg/info/shim-signed.postinst:	if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then

  [Test plan]
  Install a kernel signed with 2022 key on arm64, make sure that shimaa64.efi.signed alternative points to latest

  [Where problems could occur]
  Added/changed code could potentially break stuff on amd64.

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-signing-jobs/+bug/2004208/+subscriptions