[SRU] nullboot

I have talked with Julian about the backported version missing in jammy (only being in kinetic), but it seems that nullboot has no use in jammy nor kinetic - it's only to be used for focal. So let's accept it into focal for now as-is.

That being said, I'm thinking if someone in community might be using this for their own purposes?

Hello Julian, or anyone else affected,

Accepted nullboot into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nullboot/0.4.0-0ubuntu0.20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

The following logs show that:
 - I installed nullboot from -proposed (actually I build a new image and included nullboot from -proposed)
 - I reinstalled the kernel to make sure the PCR profile was re-calculated as expected
 - I also checked the -no-tpm and -output-json flags that are used during the build process
 - after this (not in the logs) I rebooted the VM and sure the rootfs was correctly decrypted

---

$ apt-cache policy nullboot
nullboot:
  Installed: 0.4.0-0ubuntu0.20.04.1
  Candidate: 0.4.0-0ubuntu0.20.04.1
  Version table:
 *** 0.4.0-0ubuntu0.20.04.1 500
        500 http://azure.archive.ubuntu.com/ubuntu focal-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status

# apt-get install --reinstall linux-image-5.4.0-1083-azure-fde
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 22 not upgraded.
Need to get 34.0 MB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://azure.archive.ubuntu.com/ubuntu focal-updates/main amd64 linux-image-5.4.0-1083-azure-fde amd64 5.4.0-1083.87+cvm1.1 [34.0 MB]
Fetched 34.0 MB in 40s (845 kB/s)
(Reading database ... 57935 files and directories currently installed.)
Preparing to unpack .../linux-image-5.4.0-1083-azure-fde_5.4.0-1083.87+cvm1.1_amd64.deb ...
Unpacking linux-image-5.4.0-1083-azure-fde (5.4.0-1083.87+cvm1.1) over (5.4.0-1083.87+cvm1.1) ...
Setting up linux-image-5.4.0-1083-azure-fde (5.4.0-1083.87+cvm1.1) ...
Processing triggers for nullboot (0.4.0-0ubuntu0.20.04.1) ...
2022/06/10 09:44:37 Computed PCR profile:
 AddPCRValue(TPM_ALG_SHA256, 4, 0000000000000000000000000000000000000000000000000000000000000000)
 ExtendPCR(TPM_ALG_SHA256, 4, 3d6772b4f84ed47595d72a2c4c5ffd15f5bb72c7507fe26f2aaee2c69d5633ba)
 ExtendPCR(TPM_ALG_SHA256, 4, df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119)
 AddProfileOR(
   Branch 0 {
    ExtendPCR(TPM_ALG_SHA256, 4, dbffd70a2c43fd2c1931f18b8f8c08c5181db15f996f747dfed34def52fad036)
    AddProfileOR(
      Branch 0 {
       ExtendPCR(TPM_ALG_SHA256, 4, 40c12dd328af3c15a5720cf14eca0fd28cc8ac634e177f441d86aadd2e61604e)
      }
      Branch 1 {
       ExtendPCR(TPM_ALG_SHA256, 4, 40c12dd328af3c15a5720cf14eca0fd28cc8ac634e177f441d86aadd2e61604e)
      }
    )
   }
   Branch 1 {
    ExtendPCR(TPM_ALG_SHA256, 4, dbffd70a2c43fd2c1931f18b8f8c08c5181db15f996f747dfed34def52fad036)
    AddProfileOR(
      Branch 0 {
       ExtendPCR(TPM_ALG_SHA256, 4, 40c12dd328af3c15a5720cf14eca0fd28cc8ac634e177f441d86aadd2e61604e)
      }
      Branch 1 {
       ExtendPCR(TPM_ALG_SHA256, 4, 40c12dd328af3c15a5720cf14eca0fd28cc8ac634e177f441d86aadd2e61604e)
      }
    )
   }
 )
 AddPCRValue(TPM_ALG_SHA256, 7, 0000000000000000000000000000000000000000000000000000000000000000)
 AddProfileOR(
   Branch 0 {
    AddProfileOR(
      Branch 0 {
       ExtendPCR(TPM_ALG_SHA256, 7, ccfc4bb32888a345bc8aeadaba552b627d99348c767681ab3141f5b01e40a40e)
       ExtendPCR(TPM_ALG_SHA256, 7, 9af72c68c7de19603879020c14f88...

This bug was fixed in the package nullboot - 0.4.0-0ubuntu0.20.04.1

---------------
nullboot (0.4.0-0ubuntu0.20.04.1) focal; urgency=medium

  * Feature:
    - Support for an -output-json option to dump efi boot variables to
      a JSON file
  * Bug fixes:
    - Handle missing BootOrder variable correctly

nullboot (0.3.0-0ubuntu0.20.04.1) focal; urgency=medium

  * Backport to focal (LP: #1968152)
    - Build with golang-1.16
    - Point debian-branch to ubuntu/focal
   * Bug fix:
     - Correctly handle deletion of boot entries
   * Misc:
     - Update dependencies to latest versions
   * GitHub:
     - Configure dependabot
     - Configure CodeQL
   * Packaging:
     - debian/copyright: Add GPL-3 common-licenses reference

nullboot (0.2.2-0ubuntu1) jammy; urgency=medium

  * shim: fallback: Terminate optional data (kernel) with space

nullboot (0.2.1-0ubuntu1) jammy; urgency=medium

  * Initial upload to main archive
  * Add missing continue for invalid EV_EFI_BOOT_SERVICES_APPLICATION

nullboot (0.2.0-0ubuntu0.20.04~ppa1) focal; urgency=medium

  * Use /boot/efi as the ESP location once again
  * Add -no-tpm and -no-efivars flags
  * Atomically update the BOOT.CSV file
  * postinst: Only run nullbootctl if BOOT.CSV exists already
  * postinst: Add missing debhelper token

nullboot (0.1.1-0ubuntu0.20.04~ppa2) focal; urgency=medium

  [ Chris Coulson ]
  * Trust boot assets used in the current boot

nullboot (0.1.0-0ubuntu0.20.04~ppa2) focal; urgency=medium

  * triggers: Update to new path

nullboot (0.1.0-0ubuntu0.20.04~ppa1) focal; urgency=medium

  * First release with resealing

nullboot (0.0.1-0ubuntu0.20.04~ppa1) focal; urgency=medium

  * Initial release

 -- Julian Andres Klode <email address hidden> Wed, 18 May 2022 16:09:13 +0200

The verification of the Stable Release Update for nullboot has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.