[Bug 1921134] Re: SBAT shim 15.4 release

Julian Andres Klode 1921134 at bugs.launchpad.net
Mon Jul 26 14:00:03 UTC 2021 

Verified the shim on focal.

* xnox verified windows booting on hirsute, binaries are same
* I verified maas style chained netbooting
* Verified the interactions with mokutil
+ Verified loading dkms modules
+ Verified end2end IRL boot on ThinkPad X230 with ZFS
- Did not verify actual Maas boot, but confident enough that we have checked 15.4 shim for that and the additional patches are not going to break it
- Did not check fwupd, fwupd focal SRU needs to be accepted to. Checked that the load option parsing is correct for that purpose on our side
- Did not chainload other distros due to lack of such distros in my VM setups, but given that windows and shim chainloading works, happy enough. People can still boot other distros via UEFI menu anyway, we should phase out chainloading them.

** Tags removed: block-proposed-focal verification-needed-focal
** Tags added: verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in OEM Priority Project:
  In Progress
Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Committed
Status in shim-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list