backport SecureBoot support from 13.10 for 12.04.4
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnu-efi (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
sbsigntool (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
shim (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned | ||
Raring |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
This is a meta-bug for backporting SecureBoot support from 13.10 for 12.04.4. To fully update the SecureBoot stack for 12.04.4 and fix a number of outstanding bugs, we will have to update a number of packages:
- gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable in precise.
- sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to include various fixes so build-time validation of shim-signed is possible (i.e., so recent shim-signed is buildable in precise).
- shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip to Microsoft for a separate signature for each release of what should be functionally the same program
- shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been signed by Microsoft)
We should also backport grub2 support for generating signed netboot images, but this can be handled as a separate bug report.
[Impact]
A number of OEM devices that ship with Secure Boot enabled are reported to not be able to boot 12.04.3, due to bugs in the pre-release version of shim included in that point release. The only practical means of addressing this is by updating the related packages to the current versions; cherry-picking individual bugfixes is error-prone and time-consuming. This will pull in some new features in addition to the bugfixes - such as netboot support - but this is also justifiable from a hardware-enablement perspective in the LTS.
[Test Case]
1. Rebuild all reverse-
2. Verify that the resulting shim binary build is functional by using it to boot a UEFI machine with and without SecureBoot enabled
3. Rebuild shim-signed from precise against the new sbsigntool, and verify it builds correctly
4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and verify that it also builds correctly
5. Install linux-signed-
6. Verify that linux-signed-
[Regression Potential]
This is a significant update to bootloader code which carries risk of regressing an unknown number of systems and rendering them unbootable. This risk is mitigated by the fact that there have been no reports of regression with the new version of shim in saucy, and the plan is to do a binary copy so if it works in saucy it should work in precise. There have also been multiple reports of machines successfully booting with shim 0.4 which failed with the earlier versions, making this worth the risk.
Related branches
Changed in gnu-efi (Ubuntu): | |
status: | New → Invalid |
Changed in sbsigntool (Ubuntu): | |
status: | New → Invalid |
Changed in shim (Ubuntu): | |
status: | New → Invalid |
Changed in shim-signed (Ubuntu): | |
status: | New → Invalid |
Changed in shim-signed (Ubuntu Raring): | |
status: | New → Fix Committed |
Changed in shim-signed (Ubuntu Quantal): | |
status: | New → Fix Committed |
Changed in shim-signed (Ubuntu Precise): | |
status: | New → Fix Committed |
Changed in shim (Ubuntu Precise): | |
status: | New → Fix Committed |
Changed in shim (Ubuntu Raring): | |
status: | New → Fix Committed |
Changed in shim (Ubuntu Quantal): | |
status: | New → Fix Committed |
Changed in shim (Ubuntu Precise): | |
status: | Fix Committed → Fix Released |
Changed in shim (Ubuntu Quantal): | |
status: | Fix Committed → Fix Released |
Changed in shim (Ubuntu Raring): | |
status: | Fix Committed → Fix Released |
Hello Steve, or anyone else affected,
Accepted sbsigntool into raring-proposed. The package will build now and be available at http:// launchpad. net/ubuntu/ +source/ sbsigntool/ 0.6-0ubuntu4~ 13.04.1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed. In either case, details of your testing will help us make a better decision.
Further information regarding the verification process can be found at https:/ /wiki.ubuntu. com/QATeam/ PerformingSRUVe rification . Thank you in advance!