[Bug 1921134] Re: SBAT shim 15.4 release

Dimitri John Ledkov 1921134 at bugs.launchpad.net
Wed Mar 31 17:02:18 UTC 2021 

** Summary changed:

- SBAT shim 15.3 release
+ SBAT shim 15.4 release

** Description changed:

  [Impact]
  
-  * New upstream shim release 15.3
+  * New upstream shim release 15.4
   * It includes and enforces SBAT validation
  
  [Test Plan]
  
   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan
  
  [Where problems could occur]
  
   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.
  
   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.
  
  [Other Info]
  
   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
-  * This upload obsoletes shim-signed-canonical package
+  * This upload obsoletes shim-signed-canonical package

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921134

Title:
  SBAT shim 15.4 release

Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  New

Bug description:
  [Impact]

   * New upstream shim release 15.4
   * It includes and enforces SBAT validation

  [Test Plan]

   * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]

   * Upgrading to new shim, without upgrading to the new grub with sbat
  will fail to boot, as grub must include SBAT section.

   * Upgrading to new shim, without upgrading to the new fwupdate with
  sbat will fail to boot, as fwupdate must include SBAT section.

  [Other Info]

   * All patches are dropped, as all got included in the v15.3 upstream release
   * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm
   * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims
   * This upload obsoletes shim-signed-canonical package

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1921134/+subscriptions

More information about the foundations-bugs mailing list