diff -Nru shim-signed-1.54/debian/changelog shim-signed-1.51/debian/changelog --- shim-signed-1.54/debian/changelog 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/changelog 2021-08-13 16:00:15.000000000 +0000 @@ -1,31 +1,3 @@ -shim-signed (1.54) kinetic; urgency=medium - - [ dann frazier ] - * Fix arm64 issues due to hardcoding "x64" as the EFI architecture. - (LP: #2004208) - * is-not-revoked: Support vmlinux.gz files as used on arm64. - (LP: #2004201) - - -- Julian Andres Klode Tue, 31 Jan 2023 12:57:37 +0100 - -shim-signed (1.52) kinetic; urgency=medium - - * New upstream version 15.7 (LP: #1996503) - - SBAT level: shim,3 - - SBAT policy bumped to for grub,2 in previous and grub,3 in latest: - SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n" - * SECURITY FIX: Buffer overflow when loading crafted EFI images. - - CVE-2022-28737 - * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere) - * Break fwupd-signed signed with old keys - * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest - * Install both previous and latest shim as alternatives. On secure boot - systems, if the current kernel or any newer one is revoked, the previous - shim will continue to be used until current kernel and all newer ones - are signed with a non-revoked key. - - -- Julian Andres Klode Thu, 26 Jan 2023 13:03:25 +0100 - shim-signed (1.51) impish; urgency=medium * Update to shim 15.4-0ubuntu9 diff -Nru shim-signed-1.54/debian/control shim-signed-1.51/debian/control --- shim-signed-1.54/debian/control 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/control 2021-08-13 16:00:15.000000000 +0000 @@ -9,8 +9,8 @@ Package: shim-signed Architecture: amd64 arm64 -Depends: ${misc:Depends}, grub-efi-amd64-signed (>= 1.191~) | grub-efi-arm64-signed (>= 1.191~) | base-files (<< 12.3), grub-efi-amd64-signed (>= 1.187.2~) | grub-efi-arm64-signed (>= 1.187.2~), grub2-common (>= 2.04-1ubuntu24), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool -Breaks: shim (<< 15.3), fwupd-signed (<< 1.44.1~) +Depends: ${misc:Depends}, grub-efi-amd64-signed | grub-efi-arm64-signed, grub2-common (>= 2.04-1ubuntu24), mokutil (>= 0.3.0+1538710437.fb6250f-0ubuntu2), sbsigntool +Breaks: shim (<< 15.3) Replaces: shim (<< 15.3) Recommends: secureboot-db Built-Using: shim (= ${shim:Version}) diff -Nru shim-signed-1.54/debian/kernel-postinst.d/zz-shim shim-signed-1.51/debian/kernel-postinst.d/zz-shim --- shim-signed-1.54/debian/kernel-postinst.d/zz-shim 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/kernel-postinst.d/zz-shim 1970-01-01 00:00:00.000000000 +0000 @@ -1,11 +0,0 @@ -#!/bin/sh - -efi_archs="x64 aa64" - -# Try to update shim alternative if pointing to previous shim -for efi_arch in ${efi_archs}; do - test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue - if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then - dpkg-trigger shim-kernel-check - fi -done diff -Nru shim-signed-1.54/debian/shim-signed.install shim-signed-1.51/debian/shim-signed.install --- shim-signed-1.54/debian/shim-signed.install 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/shim-signed.install 2021-08-13 16:00:15.000000000 +0000 @@ -4,11 +4,8 @@ build/${FB_BASE} /usr/lib/shim build/${MM_BASE} /usr/lib/shim build/BOOT${EFI_ARCH}.CSV /usr/lib/shim -build/${SHIM_BASE}.signed.latest /usr/lib/shim -build/${SHIM_BASE}.signed.previous /usr/lib/shim +build/${SHIM_BASE}.signed /usr/lib/shim build/${SHIM_BASE}.dualsigned /usr/lib/shim openssl.cnf /usr/lib/shim/mok debian/source_shim-signed.py /usr/share/apport/package-hooks/ -debian/kernel-postinst.d/zz-shim /etc/kernel/postinst.d/ update-secureboot-policy /usr/sbin/ -is-not-revoked /usr/lib/shim diff -Nru shim-signed-1.54/debian/shim-signed.postinst shim-signed-1.51/debian/shim-signed.postinst --- shim-signed-1.54/debian/shim-signed.postinst 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/shim-signed.postinst 2021-08-13 16:00:15.000000000 +0000 @@ -4,76 +4,6 @@ # Must load the confmodule for our template to be installed correctly. . /usr/share/debconf/confmodule -efivars=/sys/firmware/efi/efivars -secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c -moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 -efi_archs="x64 aa64" - -on_secure_boot() { - # Validate any queued actions before we go try to do them. - local moksbstatert=0 - - if ! [ -d $efivars ]; then - return 1 - fi - - if ! [ -f $efivars/$secureboot_var ] \ - || [ "$(od -An -t u1 $efivars/$secureboot_var | awk '{ print $NF }')" -ne 1 ] - then - return 1 - fi - - if [ -f /proc/sys/kernel/moksbstate_disabled ]; then - moksbstatert=$(cat /proc/sys/kernel/moksbstate_disabled 2>/dev/null || echo 0) - elif [ -f $efivars/$moksbstatert_var ]; then - # MokSBStateRT set to 1 means validation is disabled - moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \ - awk '{ print $NF; }') - fi - - if [ $moksbstatert -eq 1 ]; then - return 1 - fi - - return 0 -} - -# Check that our current kernel and every newer one has not been revoked -find_revoked() { - uname_r="$(uname -r)" - exit=1 - for kernel in $(ls -1 /boot/vmlinuz-* | sort -V -r); do - # no kernels :( - if [ "$kernel" = "/boot/vmlinuz-*" ]; then - break - fi - this_uname_r="$(echo "$kernel" | sed -r 's#^/boot/vmlinuz-(.*)#\1#; s#\.efi\.signed$##')" - if dpkg --compare-versions "$this_uname_r" lt "$uname_r"; then - continue - fi - if [ -e "$kernel.efi.signed" ]; then - continue - fi - if ! /usr/lib/shim/is-not-revoked "$kernel"; then - exit=0 - fi - done - return $exit -} - -setup_alternatives() { - for efi_arch in ${efi_archs}; do - test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue - if ! on_secure_boot || ! find_revoked; then - update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 100 - update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 50 - else - update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.latest 50 - update-alternatives --install /usr/lib/shim/shim${efi_arch}.efi.signed shim${efi_arch}.efi.signed /usr/lib/shim/shim${efi_arch}.efi.signed.previous 100 - fi - done -} - config_item () { if [ -f /etc/default/grub ]; then @@ -124,35 +54,13 @@ grubarch=arm64-efi ;; esac -case "$1:$2" in - triggered:shim-secureboot-policy) +case $1 in + triggered) if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key fi ;; - triggered:shim-kernel-check) - setup_alternatives - # If we did not switch to the latest shim, do not reinstall shim and grub. - for efi_arch in ${efi_archs}; do - test -e /usr/lib/shim/shim${efi_arch}.efi.signed.latest || continue - if update-alternatives --query shim${efi_arch}.efi.signed | grep "Best: /usr/lib/shim/shim${efi_arch}.efi.signed.previous" -q; then - exit 0 - fi - done - bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ - cut -d' ' -f1)" - case $bootloader_id in - kubuntu) bootloader_id=ubuntu ;; - esac - # Check /boot/grub to see if we previously installed to an ESP. We don't - # want to trigger the install code just by installing the package, - # normally the installer installs grub itself first. - if [ -e /boot/grub/${grubarch}/core.efi ]; then - /usr/lib/grub/grub-multi-install --target=${grubarch} --auto-nvram - fi - ;; - configure:*) - setup_alternatives + configure) bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \ cut -d' ' -f1)" case $bootloader_id in diff -Nru shim-signed-1.54/debian/shim-signed.triggers shim-signed-1.51/debian/shim-signed.triggers --- shim-signed-1.54/debian/shim-signed.triggers 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/shim-signed.triggers 2021-08-13 16:00:15.000000000 +0000 @@ -1,2 +1 @@ interest-noawait shim-secureboot-policy -interest-noawait shim-kernel-check diff -Nru shim-signed-1.54/debian/tests/control shim-signed-1.51/debian/tests/control --- shim-signed-1.54/debian/tests/control 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/tests/control 1970-01-01 00:00:00.000000000 +0000 @@ -1,3 +0,0 @@ -Tests: test-is-not-revoked -Restrictions: allow-stderr, needs-root -Depends: shim-signed, grub-efi-amd64-signed | grub-efi-arm64-signed, fwupd-signed, sbsigntool diff -Nru shim-signed-1.54/debian/tests/test-is-not-revoked shim-signed-1.51/debian/tests/test-is-not-revoked --- shim-signed-1.54/debian/tests/test-is-not-revoked 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/debian/tests/test-is-not-revoked 1970-01-01 00:00:00.000000000 +0000 @@ -1,6 +0,0 @@ -#!/bin/sh -exec /usr/lib/shim/is-not-revoked \ - /usr/lib/grub/*-signed/*.signed \ - /usr/libexec/fwupd/efi/*.efi.signed \ - /usr/lib/shim/fb*.efi \ - /usr/lib/shim/mm*.efi Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/external-shimaa64.efi and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/external-shimaa64.efi differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/external-shimaa64.efi.previous and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/external-shimaa64.efi.previous differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/external-shimx64.efi and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/external-shimx64.efi differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/external-shimx64.efi.previous and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/external-shimx64.efi.previous differ diff -Nru shim-signed-1.54/is-not-revoked shim-signed-1.51/is-not-revoked --- shim-signed-1.54/is-not-revoked 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/is-not-revoked 1970-01-01 00:00:00.000000000 +0000 @@ -1,70 +0,0 @@ -#!/bin/bash -set -e -# we need to set lastpipe so we can read the signers into the signers array below -shopt -s lastpipe - -exit=0 - -quiet="" -if [ "$1" = "-q" ]; then - quiet=true - shift -fi - -compress_type() { - local file="$1" - magic="$(od -x -N2 "$file" | head -1 | cut -d' ' -f2)" - case $magic in - 8b1f) - echo "gzip" - ;; - *) - echo "none" - ;; - esac -} - -for signed_binary in "$@"; do - if [ ! -e "$signed_binary" ]; then - echo "E: $signed_binary: file not found">&2 - exit=1 - continue - fi - - if [ "$(compress_type "$signed_binary")" = "gzip" ]; then - _signed_binary="$(mktemp)" - trap 'rm -f "$_signed_binary"' EXIT - gunzip < "$signed_binary" > "$_signed_binary" - else - _signed_binary="$signed_binary" - fi - sbverify --list "$_signed_binary" | grep subject: | grep -E -o "CN=([^/]|\\/)*" | readarray -t signers - if [ -z "$signers" ]; then - echo "E: $signed_binary: Could not find signing subject, sbverify output follows:">&2 - sbverify --list "$_signed_binary" >&2 - exit=1 - continue - fi - - for signer in "${signers[@]}"; do - revoked=$(grep -xF "$signer" << EOF -CN=Canonical Ltd. Secure Boot Signing -CN=Canonical Ltd. Secure Boot Signing (2017) -CN=Canonical Ltd. Secure Boot Signing (ESM 2018) -CN=Canonical Ltd. Secure Boot Signing (2019) -CN=Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019) -CN=Canonical Ltd. Secure Boot Signing (2021 v1) -CN=Canonical Ltd. Secure Boot Signing (2021 v2) -CN=Canonical Ltd. Secure Boot Signing (2021 v3) -EOF - ) || true - - if [ "$revoked" ]; then - if [ -z "$quiet" ]; then - echo "E: $signed_binary: revoked key $revoked used">&2 - fi - exit=1 - fi - done -done -exit $exit diff -Nru shim-signed-1.54/Makefile shim-signed-1.51/Makefile --- shim-signed-1.54/Makefile 2023-01-31 11:57:37.000000000 +0000 +++ shim-signed-1.51/Makefile 2021-08-13 16:00:15.000000000 +0000 @@ -14,9 +14,8 @@ sbattach --attach external-$(EFI_ARCH_LOWER).p7c $(SHIM_VERSION)/$(SHIM_BASE).signed # Copy external & dualsigned shims - cp $(SHIM_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).signed.latest + cp $(SHIM_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).signed cp $(SHIM_VERSION)/$(SHIM_BASE).signed build/$(SHIM_BASE).dualsigned - cp external-shim$(EFI_ARCH_LOWER).efi.previous build/$(SHIM_BASE).signed.previous # Move archive signed fb*.efi & mm*.efi mv $(SHIM_VERSION)/$(FB_BASE).signed build/$(FB_BASE) @@ -27,16 +26,13 @@ check: # Verify all signatures - sbverify --verbose --cert external.pem build/$(SHIM_BASE).signed.latest - sbverify --verbose --cert external.pem build/$(SHIM_BASE).signed.previous + sbverify --verbose --cert external.pem build/$(SHIM_BASE).signed sbverify --verbose --cert external.pem build/$(SHIM_BASE).dualsigned sbverify --verbose --cert $(SHIM_VERSION)/control/uefi.crt build/$(SHIM_BASE).dualsigned sbverify --verbose --cert $(SHIM_VERSION)/control/uefi.crt build/$(FB_BASE) sbverify --verbose --cert $(SHIM_VERSION)/control/uefi.crt build/$(MM_BASE) # verify sbattach binary output matches the externally-signed binary - cmp external-shim$(EFI_ARCH_LOWER).efi build/$(SHIM_BASE).signed.latest - # Check that we are not signed with revoked keys - ./is-not-revoked build/$(FB_BASE) build/$(MM_BASE) build/$(SHIM_BASE).dualsigned + cmp external-shim$(EFI_ARCH_LOWER).efi build/$(SHIM_BASE).signed clean: rm -rf build $(SHIM_VERSION) external-$(EFI_ARCH_LOWER).p7c Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/microsoft-shimaa64.efi and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/microsoft-shimaa64.efi differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/microsoft-shimaa64.efi.previous and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/microsoft-shimaa64.efi.previous differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/microsoft-shimx64.efi and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/microsoft-shimx64.efi differ Binary files /tmp/tmppcx7rmm4/_gsFIS141P/shim-signed-1.54/microsoft-shimx64.efi.previous and /tmp/tmppcx7rmm4/5BXZpgMpRE/shim-signed-1.51/microsoft-shimx64.efi.previous differ