[Bug 1987541] Re: shim executes GRUB w/ dirty instruction cache on arm64

Launchpad Bug Tracker 1987541 at bugs.launchpad.net
Tue Mar 14 15:15:15 UTC 2023 

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 18 Nov 2022 16:00:39
+0100

** Changed in: shim (Ubuntu Focal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1987541

Title:
  shim executes GRUB w/ dirty instruction cache on arm64

Status in shim package in Ubuntu:
  Fix Released
Status in shim source package in Bionic:
  Fix Committed
Status in shim source package in Focal:
  Fix Released
Status in shim source package in Jammy:
  Fix Released
Status in shim source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  On arm64 platforms, GRUB may occasionally crash after being executed by shim. We're seeing it on the order of 1/100 boots.

  [Test Case]
  Put an arm64 server in a reboot loop. We're seeing this w/ a Cortex A72-based system (Nvidia Bluefield).

  [Fix]
  https://github.com/rhboot/shim/commit/5c537b3d0cf8c393dad2e61d49aade68f3af1401

  [What could go wrong]
  The only negative here would seem to be the performance impact of flushing the cache, which is unlikely to be noticeable.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1987541/+subscriptions

More information about the foundations-bugs mailing list