[Bug 1921134] [NEW] SBAT shim 15.3 release
Dimitri John Ledkov
1921134 at bugs.launchpad.net
Wed Mar 24 15:00:29 UTC 2021
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
* New upstream shim release 15.3
* It includes and enforces SBAT validation
[Test Plan]
* https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan
[Where problems could occur]
* Upgrading to new shim, without upgrading to the new grub with sbat
will fail to boot, as grub must include SBAT section.
* Upgrading to new shim, without upgrading to the new fwupdate with
sbat will fail to boot, as fwupdate must include SBAT section.
[Other Info]
* All patches are dropped, as all got included in the v15.3 upstream release
* Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
* Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
* This upload obsoletes shim-signed-canonical package
** Affects: shim (Ubuntu)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
[Impact]
- * New upstream shim release 15.3
- * It includes and enforces SBAT validation
+ * New upstream shim release 15.3
+ * It includes and enforces SBAT validation
[Test Plan]
- * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan
+ * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan
[Where problems could occur]
- * Upgrading to new shim, without upgrading to the new grub with sbat
+ * Upgrading to new shim, without upgrading to the new grub with sbat
will fail to boot, as grub must include SBAT section.
- * Upgrading to new shim, without upgrading to the new fwupdate with
+ * Upgrading to new shim, without upgrading to the new fwupdate with
sbat will fail to boot, as fwupdate must include SBAT section.
[Other Info]
-
- * All patches are dropped, as all got included in the v15.3 upstream release
- * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
- * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
+
+ * All patches are dropped, as all got included in the v15.3 upstream release
+ * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
+ * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
+ * This upload obsoletes shim-signed-canonical package
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1921134
Title:
SBAT shim 15.3 release
Status in shim package in Ubuntu:
New
Status in shim-signed package in Ubuntu:
New
Bug description:
[Impact]
* New upstream shim release 15.3
* It includes and enforces SBAT validation
[Test Plan]
* https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan
[Where problems could occur]
* Upgrading to new shim, without upgrading to the new grub with sbat
will fail to boot, as grub must include SBAT section.
* Upgrading to new shim, without upgrading to the new fwupdate with
sbat will fail to boot, as fwupdate must include SBAT section.
[Other Info]
* All patches are dropped, as all got included in the v15.3 upstream release
* Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
* Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
* This upload obsoletes shim-signed-canonical package
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1921134/+subscriptions
More information about the foundations-bugs
mailing list