[Bug 2045552] Re: nullboot 0.5.0: shim 15.7-0ubuntu1 update

Julian Andres Klode 2045552 at bugs.launchpad.net
Wed Feb 14 13:05:49 UTC 2024 

I believe that is what happened to some extend, but it certainly wasn't
our goal. Our goal is to (be able to) uphold our commitment to the
security team to keep our dependencies up-to-date, and there are no
stable branches to pick from (often not even tags) nor do we want to
fork hundreds of repos and add redirects to go.mod so that we can use
them, so that means we need to regularly update to the latest upstream
git branches.

We did not pick the latest versions for all the measurement code, but
just the bare minimum to get it working. The dependabot bot did some
updates of the golang.org utility libraries and the test suite helper,
but those do not have stable branches, so we ultimately have no choice
but to keep them updated when the bot tells us to.

>From a SRU perspective this should be straightforward:

- Changes to the vendor/ directory are automatic and should be ignored, it is just an expansion of go.mod
- Check that go.mod contains the same (or newer) versions of the dependencies as snapd to ensure we don't miss security fixes.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nullboot in Ubuntu.
https://bugs.launchpad.net/bugs/2045552

Title:
  nullboot 0.5.0: shim 15.7-0ubuntu1 update

Status in nullboot package in Ubuntu:
  Fix Released
Status in nullboot source package in Focal:
  New
Status in nullboot source package in Jammy:
  New

Bug description:
  [Impact]
  Security update for shim

  [Test plan]

  * Deploy Azure CVM and TPM FDE
  * Upgrade to this new package and reboot
  * Boot should be successful
  * Double check bios_measurements_log to ensure that the newly update shim was used for boot (https://github.com/canonical/tcglog-parser/tree/master/tcglog-dump can be used to extract checksum of the shim binary used at boot and compared to the one shipped in nullboot)

  * CPC - build new image with nullboot preinstalled, and attempt to
  register and boot such an images as first time.

  [Where problems could occur]

  Resealing could fail

  Shim could fail to boot

  Limited to Azure confidential VMs in scope

  Upgrade to and usage of interim lunar & mantic ubuntu releases is not
  supported on the Azure CVMs and does not work, hence this bug targets
  SRUs for LTS releases only.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/2045552/+subscriptions

More information about the foundations-bugs mailing list