Ubuntu
shim package

fix insecure mode booting

Bug #1925140 reported by Dimitri John Ledkov
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

shim supports disabling validation using shim specific variable, whilst keeping the firmware secureboot on.

The state for it, is currently incorrectly parsed on Ubuntu, and thus error message is not printed that machine is booting without signature verification by shim.

please pull in fix https://github.com/rhboot/shim/pull/362/files

[Impact]

 * There is upstream bug report that prevents booting systems, when mokutil --disable-validation is set.

 * It only impacts shims that are built with ExitBootService check in place

 * In Ubuntu, we build shim with ExitBootServices check disabled, therefore we were not affected by this issue directly. But it was felt that no new shims would be signed unless this patch is included as a bugfix.

[Test Plan]

 * Boot with Secureboot on, and mokutil validation on everything should boot

 * Turn Secureboot off, everything should boot

 * Turn Secureboot on, but turn mokutil validation off, evernthing should still boot.

 * Note that the above would have failed with 15.4-0buntu1 shim, had we not built it with disabling ExitBootServices, so this is not a regression, but to ensure that the included bugfix is correct and doesn't regress things it claims to keep working. As otherwise no ubuntu shims have been affected by the upstream issue in question.

[Where problems could occur]

 * The areas that could regress with this patch are validated in the Test plan.

[Other Info]

 * Anything else you think is useful to include
 * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
 * and address these questions in advance

See original description

Related branches

~xnox/shim:post-15.4-bugfixes
Julian Andres Klode: Approve
Diff: 113 lines (+82/-0)
4 files modified
debian/changelog (+5/-0)
debian/patches/361.patch (+38/-0)
debian/patches/362.patch (+37/-0)
debian/patches/series (+2/-0)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu2

---------------
shim (15.4-0ubuntu2) hirsute; urgency=medium

  [ Balint Reczey ]
  * Fix boot on EFI 1.10 machines, for example on some MacBooks (LP: #1925010)

  [ Dimitri John Ledkov ]
  * Fix kernel warning when allocating MOK table (LP: #1925139)
  * Fix booting with shim SBState disabled (LP: #1925140)

 -- Dimitri John Ledkov <email address hidden> Tue, 20 Apr 2021 15:24:29 +0100

Changed in shim (Ubuntu):
status: New → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted shim into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Dimitri, or anyone else affected,

Accepted shim-signed into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.47 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Dimitri John Ledkov (xnox)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Based on the clarified test case, this passes.

tags: added: verification-done verification-done-hirsute
removed: verification-needed verification-needed-hirsute
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu2

---------------
shim (15.4-0ubuntu2) hirsute; urgency=medium

  [ Balint Reczey ]
  * Fix boot on EFI 1.10 machines, for example on some MacBooks (LP: #1925010)

  [ Dimitri John Ledkov ]
  * Fix kernel warning when allocating MOK table (LP: #1925139)
  * Fix booting with shim SBState disabled (LP: #1925140)

 -- Dimitri John Ledkov <email address hidden> Tue, 20 Apr 2021 15:24:29 +0100

Changed in shim (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Dimitri, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
removed: verification-done
Revision history for this message
Julian Andres Klode (juliank) wrote :

Same binaries across all releases, so the verification on hirsute is valid elsewhere too. Either way, this regression never occured in pre-hirsute releases :D

tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.