[Bug 2045552] Re: nullboot 0.5.0: shim 15.7-0ubuntu1 update

Chris Halse Rogers 2045552 at bugs.launchpad.net
Wed Feb 21 04:50:03 UTC 2024 

Ok. You've convinced me this is the minimal reasonable change :)

I've still got a couple of questions about the process of testing:

It's not entirely clear to me what the scope of possible failures is here:
* failure to boot is a pleasantly obvious failure mode, but is this influenced by user configuration, or does it booting *anywhere* mean it will boot *everywhere*?
* My understanding of the TPM stack is limited, but my understanding is that if it boots *at all* then it must have booted an expected image - is this correct, or should we also be testing that the update correctly *fails* to boot unexpected images?

And to clarify:
> Double check bios_measurements_log to ensure that the newly update shim was used for boot (https://github.com/canonical/tcglog-parser/tree/master/tcglog-dump can be used to extract checksum of the shim binary used at boot and compared to the one shipped in nullboot

>From package contents I assume you'd be checking against the checksum of
/usr/lib/nullboot/shim/shimx64.efi.signed, but what checksum algorithm?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to nullboot in Ubuntu.
https://bugs.launchpad.net/bugs/2045552

Title:
  nullboot 0.5.0: shim 15.7-0ubuntu1 update

Status in nullboot package in Ubuntu:
  Fix Released
Status in nullboot source package in Focal:
  New
Status in nullboot source package in Jammy:
  New

Bug description:
  [Impact]
  Security update for shim

  [Test plan]

  * Deploy Azure CVM and TPM FDE
  * Upgrade to this new package and reboot
  * Boot should be successful
  * Double check bios_measurements_log to ensure that the newly update shim was used for boot (https://github.com/canonical/tcglog-parser/tree/master/tcglog-dump can be used to extract checksum of the shim binary used at boot and compared to the one shipped in nullboot)

  * CPC - build new image with nullboot preinstalled, and attempt to
  register and boot such an images as first time.

  [Where problems could occur]

  Resealing could fail

  Shim could fail to boot

  Limited to Azure confidential VMs in scope

  Upgrade to and usage of interim lunar & mantic ubuntu releases is not
  supported on the Azure CVMs and does not work, hence this bug targets
  SRUs for LTS releases only.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/2045552/+subscriptions

More information about the foundations-bugs mailing list