[Bug 1925140] Re: fix insecure mode booting

[Łukasz Zemczak]

Hello Dimitri, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu2 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
xenial to verification-done-xenial. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-xenial. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: shim (Ubuntu Xenial)
       Status: New => Fix Committed

** Tags removed: verification-done
** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1925140

Title:
  fix insecure mode booting

Status in shim package in Ubuntu:
  Fix Released
Status in shim source package in Xenial:
  Fix Committed
Status in shim source package in Hirsute:
  Fix Released

Bug description:
  shim supports disabling validation using shim specific variable,
  whilst keeping the firmware secureboot on.

  The state for it, is currently incorrectly parsed on Ubuntu, and thus
  error message is not printed that machine is booting without signature
  verification by shim.

  please pull in fix https://github.com/rhboot/shim/pull/362/files

  [Impact]

   * There is upstream bug report that prevents booting systems, when
  mokutil --disable-validation is set.

   * It only impacts shims that are built with ExitBootService check in
  place

   * In Ubuntu, we build shim with ExitBootServices check disabled,
  therefore we were not affected by this issue directly. But it was felt
  that no new shims would be signed unless this patch is included as a
  bugfix.

  [Test Plan]

   * Boot with Secureboot on, and mokutil validation on everything
  should boot

   * Turn Secureboot off, everything should boot

   * Turn Secureboot on, but turn mokutil validation off, evernthing
  should still boot.

   * Note that the above would have failed with 15.4-0buntu1 shim, had
  we not built it with disabling ExitBootServices, so this is not a
  regression, but to ensure that the included bugfix is correct and
  doesn't regress things it claims to keep working. As otherwise no
  ubuntu shims have been affected by the upstream issue in question.

  [Where problems could occur]

   * The areas that could regress with this patch are validated in the
  Test plan.

  [Other Info]
   
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
   * and address these questions in advance

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925140/+subscriptions