[Bug 1934506] Re: Mirrored MOK variables could be accidentally deleted

Launchpad Bug Tracker 1934506 at bugs.launchpad.net
Mon Aug 2 19:46:16 UTC 2021 

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4.  LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 16 Jul 2021 13:33:00
+0200

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1934506

Title:
  Mirrored MOK variables could be accidentally deleted

Status in shim:
  New
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim source package in Xenial:
  Fix Committed
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim source package in Bionic:
  Fix Committed
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim source package in Focal:
  Fix Released
Status in shim-signed source package in Focal:
  Fix Released
Status in shim source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  On some systems, Mok variables mirrored are accidentally deleted after the mirroring. This can prevent the kernel from loading DKMS modules, if it does not yet use the config table to parse the MokList variable; and userspace tools relying on the variables will have wrong results.

  Most implementations reject the accidental delete, as the flags do not
  match, this bug was produced on VMWare.

  [Test plan]
  If we can get a VMWare Workstation or Player license, it would be good to validate that. Without a license, the best we can do is ensure there are no regressions on other machines and rely on the authors of the patch (SUSE) to have tested this properly.

  [Where problems could occur]
  We could accidentally delete the variable on other systems now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/shim/+bug/1934506/+subscriptions

More information about the foundations-bugs mailing list