[Bug 1921134] Re: SBAT shim 15.4 release

Launchpad Bug Tracker 1921134 at bugs.launchpad.net
Tue Apr 13 22:26:14 UTC 2021 

This bug was fixed in the package shim - 15.4-0ubuntu1

---------------
shim (15.4-0ubuntu1) hirsute; urgency=medium

  [ Dimitri John Ledkov ]
  * New upstream release 15.4 LP: #1921134
    - Update the commit hash in debian/rules
  * debian/rules: add request to sign EFI binaries with archive signing key.
  * debian/rules: stop using ENABLE_SHIM_CERT=1.
  * debian/rules: add canonical 2021 DBX.
  * deiban/rules: start using DISABLE_EBS_PROTECTION=1 to allow
    chainloading shim to shim, and shim to kernel.efi.
  * Add shim-dbg package, skip stripping files.
  * Update watch file, now uscan can generate new upstream tarballs.
  * Upgrade to debhelper 12.
  * Drop gnu-efi build-dep, now vendored upstream.
  * Add debian/rules target to generate gnu-efi components.
  * Do not clean gnu-efi Makefile.orig
  * Remove fallback 5s delay with TPM. LP: #1922581
  * Add xxd build-dep to run unittests.

  [ Chris Coulson ]
  * Drop patches that are fixed upstream:
    - debian/patches/Fix-OBJ_create-to-tolerate-a-NULL-sn-and-ln.patch
    - debian/patches/MokManager-avoid-unaligned.patch
    - debian/patches/tpm-correctness-1.patch
    - debian/patches/tpm-correctness-2.patch
    - debian/patches/tpm-correctness-3.patch
    - debian/patches/MokManager-hidpi-support.patch
    - debian/patches/fix-path-checks.patch
  * Drop the ENABLE_HTTPBOOT option - this is always built now.
    - update debian/rules
  * Add vendor SBAT metadata to shim.
    - add debian/sbat.ubuntu.csv.in
    - update debian/rules
  * Add vendor dbx esl to include-binaries
  * Build-depend on dos2unix
    - update debian/control

 -- Dimitri John Ledkov <xnox at ubuntu.com>  Wed, 24 Mar 2021 11:32:25
+0000

** Changed in: shim (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: shim-signed (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in OEM Priority Project:
  New
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list