[Bug 1637290] [NEW] Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 shim binary from Microsoft

Mathieu Trudel-Lapierre mathieu.tl at gmail.com
Thu Oct 27 18:42:32 UTC 2016 

Public bug reported:

[Impact]
We might want to boot securely one of these days.

[Test case]
A) Upgrading
- Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system.
- Verify that the new shimx64.efi file is under /boot/efi/EFI/ubuntu, along with mmx64.efi and fbx64.efi.
- Verify that /boot/efi/EFI/ubuntu/MokManager.efi no longer exists.

B) Booting normally
- Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system, with Secure Boot enabled. 
- Verify it boots successfully to the login prompt.
- There should be no messages about "Verification failure" or other errors before the kernel is loaded.

B) Network boot.
- Update to shim signed and grub2 signed EFI binaries on the TFTP server used.
- Verify that a network booting system still boots normally through shim and grub, reaching a login prompt.

C) BootEntry options
- Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system.
- Update or install fwupdate.
- Verify that new updates can be applied via fwupdate, that when an update is available, fwupdate will correctly start, apply the update, and reboot to shim normally, leading to a working system.

[Regression Potential]
Any failure to load the kernel from grub, or for shim to load grub, or for the system firmware to load shim (such as "Verification failure" messages) or failure to retrieve or parse BootEntry extended options (such as necessary to load MokManager or fwupdate) should be considered regressions.

** Affects: grub2 (Ubuntu)
     Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
         Status: Fix Released

** Affects: grub2-signed (Ubuntu)
     Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
         Status: Fix Released

** Affects: shim (Ubuntu)
     Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
         Status: Fix Released

** Affects: shim-signed (Ubuntu)
     Importance: High
     Assignee: Mathieu Trudel-Lapierre (cyphermox)
         Status: Fix Released

** Affects: grub2 (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: grub2-signed (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: shim (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu Yakkety)
     Importance: Undecided
         Status: New

** Affects: grub2-signed (Ubuntu Yakkety)
     Importance: Undecided
         Status: New

** Affects: shim (Ubuntu Yakkety)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Yakkety)
     Importance: Undecided
         Status: New

** Also affects: shim-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: grub2 (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: grub2-signed (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: shim (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: shim-signed (Ubuntu)
     Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

** Changed in: grub2 (Ubuntu)
   Importance: Undecided => High

** Changed in: grub2-signed (Ubuntu)
   Importance: Undecided => High

** Changed in: shim (Ubuntu)
   Importance: Undecided => High

** Changed in: shim-signed (Ubuntu)
   Importance: Undecided => High

** Changed in: grub2 (Ubuntu)
       Status: New => In Progress

** Changed in: grub2 (Ubuntu)
       Status: In Progress => Fix Released

** Changed in: grub2-signed (Ubuntu)
       Status: New => Fix Released

** Changed in: shim (Ubuntu)
       Status: New => Fix Released

** Changed in: shim-signed (Ubuntu)
       Status: New => Fix Released

** Also affects: grub2 (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: shim (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: shim-signed (Ubuntu Yakkety)
   Importance: Undecided
       Status: New

** Also affects: grub2 (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: shim (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: shim-signed (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1637290

Title:
  Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 shim binary from
  Microsoft

Status in grub2 package in Ubuntu:
  Fix Released
Status in grub2-signed package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New
Status in grub2 source package in Yakkety:
  New
Status in grub2-signed source package in Yakkety:
  New
Status in shim source package in Yakkety:
  New
Status in shim-signed source package in Yakkety:
  New

Bug description:
  [Impact]
  We might want to boot securely one of these days.

  [Test case]
  A) Upgrading
  - Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system.
  - Verify that the new shimx64.efi file is under /boot/efi/EFI/ubuntu, along with mmx64.efi and fbx64.efi.
  - Verify that /boot/efi/EFI/ubuntu/MokManager.efi no longer exists.

  B) Booting normally
  - Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system, with Secure Boot enabled. 
  - Verify it boots successfully to the login prompt.
  - There should be no messages about "Verification failure" or other errors before the kernel is loaded.

  B) Network boot.
  - Update to shim signed and grub2 signed EFI binaries on the TFTP server used.
  - Verify that a network booting system still boots normally through shim and grub, reaching a login prompt.

  C) BootEntry options
  - Update to new shim, shim-signed, grub2, grub2-signed on an UEFI system.
  - Update or install fwupdate.
  - Verify that new updates can be applied via fwupdate, that when an update is available, fwupdate will correctly start, apply the update, and reboot to shim normally, leading to a working system.

  [Regression Potential]
  Any failure to load the kernel from grub, or for shim to load grub, or for the system firmware to load shim (such as "Verification failure" messages) or failure to retrieve or parse BootEntry extended options (such as necessary to load MokManager or fwupdate) should be considered regressions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1637290/+subscriptions

More information about the foundations-bugs mailing list