[Bug 1921134] Re: SBAT shim 15.4 release

Harm van Bakel 1921134 at bugs.launchpad.net
Sat Jul 3 13:49:24 UTC 2021 

I tried installing the new shim package on a second system that also had
Oracle Virtualbox 6.1 installed and didn't encounter the same issue on
this system.

I then tried upgrading the first system again after first uninstalling
Virtualbox. This time there were no issues after the upgrade. I then
reinstalled Oracle Virtualbox 6.1 on this system that prompted the
installation of a new MOK. After registering the new key on a reboot
everything is working fine now. I'm guessing there was some MOK issue
specific to the system that was causing the issue, which was solved by a
reinstallation of Virtualbox.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Committed
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list