group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1925140] Re: fix insecure mode booting

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1925140@xxxxxxxxxxxxxxxxxx>
Date: Mon, 16 Aug 2021 10:30:11 -0000
Reply-to: Bug 1925140 <1925140@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <juliank@xxxxxxxxxx>  Wed, 07 Jul 2021 10:57:35
+0200

** Changed in: shim (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1925140

Title:
  fix insecure mode booting

Status in shim package in Ubuntu:
  Fix Released
Status in shim source package in Xenial:
  Fix Released
Status in shim source package in Hirsute:
  Fix Released

Bug description:
  shim supports disabling validation using shim specific variable,
  whilst keeping the firmware secureboot on.

  The state for it, is currently incorrectly parsed on Ubuntu, and thus
  error message is not printed that machine is booting without signature
  verification by shim.

  please pull in fix https://github.com/rhboot/shim/pull/362/files

  [Impact]

   * There is upstream bug report that prevents booting systems, when
  mokutil --disable-validation is set.

   * It only impacts shims that are built with ExitBootService check in
  place

   * In Ubuntu, we build shim with ExitBootServices check disabled,
  therefore we were not affected by this issue directly. But it was felt
  that no new shims would be signed unless this patch is included as a
  bugfix.

  [Test Plan]

   * Boot with Secureboot on, and mokutil validation on everything
  should boot

   * Turn Secureboot off, everything should boot

   * Turn Secureboot on, but turn mokutil validation off, evernthing
  should still boot.

   * Note that the above would have failed with 15.4-0buntu1 shim, had
  we not built it with disabling ExitBootServices, so this is not a
  regression, but to ensure that the included bugfix is correct and
  doesn't regress things it claims to keep working. As otherwise no
  ubuntu shims have been affected by the upstream issue in question.

  [Where problems could occur]

   * The areas that could regress with this patch are validated in the
  Test plan.

  [Other Info]
   
   * Anything else you think is useful to include
   * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
   * and address these questions in advance

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925140/+subscriptions