[Bug 2004201] Re: is-not-revoked does not handle gzip'd kernels
Launchpad Bug Tracker
2004201 at bugs.launchpad.net
Thu Feb 16 10:47:58 UTC 2023
This bug was fixed in the package shim-signed - 1.54
---------------
shim-signed (1.54) kinetic; urgency=medium
[ dann frazier ]
* Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
(LP: #2004208)
* is-not-revoked: Support vmlinux.gz files as used on arm64.
(LP: #2004201)
shim-signed (1.52) kinetic; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <juliank at ubuntu.com> Tue, 31 Jan 2023 12:57:37
+0100
** Changed in: shim-signed (Ubuntu Kinetic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-28737
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2004201
Title:
is-not-revoked does not handle gzip'd kernels
Status in shim-signed package in Ubuntu:
New
Status in shim-signed source package in Bionic:
Fix Committed
Status in shim-signed source package in Focal:
Fix Committed
Status in shim-signed source package in Jammy:
Fix Committed
Status in shim-signed source package in Kinetic:
Fix Released
Bug description:
[Impact]
arm64 kernels are gzip'd by default, which currently breaks is-not-
revoked:
ubuntu at ubuntu:~$ sudo file /boot/vmlinuz-5.15.0-57-generic
/boot/vmlinuz-5.15.0-57-generic: gzip compressed data, was "vmlinuz-5.15.0-57-generic.efi.signed", last modified: Tue Nov 29 10:47:41 2022, max compression, from Unix, original size modulo 2^32 46283136
ubuntu at ubuntu:~$ sudo /usr/lib/shim/is-not-revoked /boot/vmlinuz-5.15.0-57-generic ~
Invalid DOS header magic
Can't open image /boot/vmlinuz-5.15.0-57-generic
E: /boot/vmlinuz-5.15.0-57-generic: Could not finder signing subject, sbverify output follows:
Invalid DOS header magic
Can't open image /boot/vmlinuz-5.15.0-57-generic
If I decompress the vmlinuz file in place, it works:
ubuntu at ubuntu:~$ sudo /usr/lib/shim/is-not-revoked /boot/vmlinuz-5.15.0-57-generic ~
Invalid DOS header magic
Can't open image /boot/vmlinuz-5.15.0-57-generic
E: /boot/vmlinuz-5.15.0-57-generic: Could not finder signing subject, sbverify output follows:
Invalid DOS header magic
Can't open image /boot/vmlinuz-5.15.0-57-generic
ubuntu at ubuntu:~$ echo $?
1
[Test plan]
Test gzipped kernels per above
[Where problems could occur]
Added/changed code could potentially break stuff on amd64.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/2004201/+subscriptions
More information about the foundations-bugs
mailing list