Ubuntu
shim package

shim: set second stage not work

Bug #1581299 reported by Ivan Hu
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
High
Mathieu Trudel-Lapierre
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
Some firmwares may fail to populate LoadOptions in EFI in a way that shim understands, including only the extra options rather than the full BootEntry.

[Test case]
Attempt to boot a system on a BootEntry that requires extra options, such as when running firmware updates via fwupdate.

[Regression Potential]
The information passed by some firmwares may look as though it is a simple UCS-2 string although it contain extra information, and thus cause a failure to boot due to unrecognized LoadOptions when shim attempts to boot. The default boot process does not include LoadOptions at all, but this may adversely affect fwupdate or running MokManager.

----

Using the applications such as fwupdate and efibootmgr to set the device path for the second stage path is not working on some platforms.
The second stage set is not working after commit
3322257e611e2000f79726d295bb4845bbe449e7 on https://github.com/rhinstaller/shim
for those which load option only have one string.

This is due to some versions of BDS, on loadoption we only get:
00000000 5c 00 66 00 77 00 75 00 70 00 78 00 36 00 34 00 |\.f.w.u.p.x.6.4.|
00000010 2e 00 65 00 66 00 69 00 00 00 |..e.f.i...|
0000001a

See original description
Revision history for this message
Ivan Hu (ivan.hu) wrote :

Sent out a patch fixing the set second stage function for loadoption.

And have been accepted on https://github.com/rhinstaller/shim

Changed in shim (Ubuntu):
status: New → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "0001-shim-dealing-with-only-one-string-on-loadoption.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Brian Murray (brian-murray)
Changed in shim (Ubuntu):
status: Fix Committed → Triaged
importance: Undecided → High
tags: added: rls-y-incoming
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

We don't use a shim version that currently carries this commit; why are you using a new shim? Is there another issue for which you require a patch?

Please include the full output of 'efibootmgr -v' on an affected system so we can make sure that the boot entry is correctly configured to do the firmware updates.

Changed in shim (Ubuntu):
status: Triaged → Incomplete
Revision history for this message
Ivan Hu (ivan.hu) wrote :

Here is the efibootmgr -v for your request.

BootNext: 0007
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0001,0000,0002,0003,0004
Boot0000* UEFI Internal Shell FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(7c04a583-9e3e-4f1c-ad65-e05268d0b4d1)
Boot0001* Enter Setup FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(462caa21-7614-4503-836e-8ab6f4662331)
Boot0002 Boot Device List FvVol(cdbb7b35-6833-4ed6-9ab2-57d2acddf6f0)/FvFile(eec25bdc-67f2-4d95-b1d5-f81b2039d11d)
Boot0003* UEFI ATAPI iHAS124 E 3524665 228416501444 PciRoot(0x0)/Pci(0x1f,0x2)/Sata(2,0,0)N.....YM....R,Y.
Boot0004* UEFI ST500DM002-1BD142 Z3THAL0R PciRoot(0x0)/Pci(0x1f,0x2)/Sata(3,0,0)N.....YM....R,Y.
Boot0005* UEFI SanDisk Ultra 4C530001310121113460 PciRoot(0x0)/Pci(0x1d,0x0)/USB(0,0)/USB(4,0)N.....YM....R,Y.
Boot0006* ubuntu HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)
Boot0007* Linux-Firmware-Updater \fwupx64.efi HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)\.f.w.u.p.x.6.4...e.f.i...

actually, this patch fixed the commit 3322257e611e2000f79726d295bb4845bbe449e7 for those which load option only have one string won't work.
you can simple build a efi application, such as hello.efi, set the bootnext to it as
Boot0008* test HD(1,GPT,cae6aec2-f305-4006-95b0-8063f692a715,0x800,0x100000)/File(\EFI\ubuntu\shimx64.efi)\.h.e.l.l.o...e.f.i...
then to check it the hello.efi be run on next boot. To make sure shim works properly or not.

Mathieu Trudel-Lapierre (cyphermox)
Changed in shim (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Peter Zhang - Lenovo (zhangfp1) wrote :

Hello Canonical friends,

May we know who can help to push Microsoft to expediate the sign process?
Two more months passed since the fix was available on May 13th in comment #1.
Thanks for your support.

Mathieu Trudel-Lapierre (cyphermox)
Changed in shim-signed (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 0.9+1465500757.14a5905-0ubuntu1

---------------
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jul 2016 16:48:32 -0400

Changed in shim (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.20

---------------
shim-signed (1.20) yakkety; urgency=medium

  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
    (LP: #1581299)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 08 Aug 2016 11:14:21 -0400

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Anthony Wong (anthonywong) wrote :

Mathieu, I think this affects Xenial too. Given that Xenial is LTS, can we fix it with SRU as well?

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1581299] Re: shim: set second stage not work

On Tue, Aug 09, 2016 at 04:10:51AM -0000, Anthony Wong wrote:
> Mathieu, I think this affects Xenial too. Given that Xenial is LTS, can
> we fix it with SRU as well?

Yes. We only have one active signed shim.efi binary at a time - this one
will be binary-copied back from yakkety to all supported releases.

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Ivan, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Ivan, Anthony, could you please verify that this is fixed with the updated packages in yakkety-proposed?

Thanks!

Revision history for this message
Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.21.4 with yakkety-proposed, it could fix the second stage issue of shim.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Mathieu Trudel-Lapierre (cyphermox)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.21.4~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Ivan has already verified that shim-signed 1.21.4 is good on yakkety-proposed. Given that it's the exact same binary in other distros, we can say it's verified everywhere (the binaries are copied around, not rebuilt).

tags: added: verification-done-yakkety
tags: added: verification-done-trusty verification-done-xenial
removed: verification-needed
Revision history for this message
Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.21.4 with xenial-proposed and trusty-proposed, they could fix the second stage issue of shim.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.27~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.27~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Ivan Hu (ivan.hu) wrote :

Verify the shim-signed 1.27 with yakkety-proposed and xenial-proposed, it works fine on the second stage of shim.

Steve Langasek (vorlon)
tags: added: verification-done
removed: verification-done-trusty verification-done-xenial verification-done-yakkety verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.27~16.10.1

---------------
shim-signed (1.27~16.10.1) yakkety; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.10. (LP: #1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
    (LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 23 Mar 2017 16:58:44 -0400

Changed in shim-signed (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.27~16.04.1

---------------
shim-signed (1.27~16.04.1) xenial; urgency=medium

  * Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.04. (LP: #1637290)

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
    (LP: #1581299)
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 23 Mar 2017 16:58:44 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of shim-signed to trusty-proposed has been rejected from the upload queue for the following reason: "needs adjusted versioned dep on grub2-common; drop ref to LP: #1624096 from changelog".

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed verification-needed-trusty
removed: verification-done
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Ivan, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done for trusty: I've used shim-signed 1.32~14.04.2. The correct shim is installed and it behaves correctly with firmware updates and other BootEntries requiring extra options. I used a new bootentry to boot straight to mmx64.efi (MokManager), which worked correctly.

tags: added: verification-done-trusty
removed: verification-needed verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~14.04.2

---------------
shim-signed (1.32~14.04.2) trusty; urgency=medium

  * Backport shim-signed 1.32 to 14.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP #1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

shim-signed (1.28) zesty; urgency=medium

  * Adjust apport hook to include key files that tell us about the system's
    current SB state. LP: #1680279.

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

shim-signed (1.21.3) vivid; urgency=medium

  * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.

shim-signed (1.21.2) vivid; urgency=medium

  * Revert to signed shim from 0.8-0ubuntu2.
    - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.

shim-signed (1.20) yakkety; urgency=medium

  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
    (LP: #1581299)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 20:29:28 -0400

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
no longer affects: shim-signed (Ubuntu Xenial)
no longer affects: shim-signed (Ubuntu Trusty)
Changed in shim (Ubuntu Trusty):
status: New → Fix Released
Changed in shim (Ubuntu Xenial):
status: New → Fix Released
Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Released
Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.