Ubuntu
shim package

shim-signed does not boot on EFI 2.40 by Apple

Bug #1928434 reported by Kris Budde
82
This bug affects 8 people
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Released
Critical
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Critical
Unassigned
shim-signed (Ubuntu)
Fix Released
Critical
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
Booting MacBook is broken

[Test plan]
We don't have a test plan per se to verify this bug, but the shim fix has been tested. Hard to verify those bugs :(

[Where problems could occur]
We disable mirroring of vendor dbx into MokListXRT EFI variable, so mokutil is not able to read the vendor dbx anymore. Other things might not be able to do so either; we don't believe we've been using it so far, though.

[Original bug report]
Hi,

I have a MacBookPro14,3. After upgrade to Ubuntu 21.04 it failed to boot.
At first I thought I'm affected by https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1925010.

But my MacBook has newer efi Version and the fixed version of shim-signed is not solving my issues.

>sudo dmesg | grep EFI
[ 0.000000] efi: EFI v2.40 by Apple
[ 0.011978] ACPI: UEFI 0x000000007AF7D000 000042 (v01 INTEL EDK2 00000002 01000013)
[ 0.012029] ACPI: Reserving UEFI table memory at [mem 0x7af7d000-0x7af7d041]
[ 0.411423] fb0: EFI VGA frame buffer device
[ 0.418914] EFI Variables Facility v0.08 2004-May-17
[ 2.696996] fb0: switching to amdgpudrmfb from EFI VGA

I reinstalled Ubuntu 21.04 from scratch and updated all packages during installation.
The reboot failed. I hear the apple start sound and then an endless repeating echo.
I've chrooted inside my system and verified that shim-signed 1.47+15.4-0ubuntu2 is installed.

The suggested workaround from the other bug works (I can normally boot afterwards):
/boot/efi/EFI# cp -b ubuntu/grubx64.efi ubuntu/shimx64.efi
/boot/efi/EFI# cp -b ubuntu/grubx64.efi BOOT/BOOTX64.EFI

"sudo apt reinstall shim-signed" reliable breaks my macbook again.

Is there anything I can do to help solving this issue? What do you need?

See original description
Dimitri John Ledkov (xnox)
Changed in shim-signed (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
Changed in shim (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
Steve Langasek (vorlon) wrote :

One thing you can try while booted up is to run 'mokutil --set-verbosity true' and then reboot, to see if you get any output on the screen from shim that would let us narrow down where things are failing.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

For your current work around to persist, you should also do:

$ sudo dpkg-divert /usr/lib/shim/shimx64.efi.signed
$ sudo cp /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed /usr/lib/shim/shimx64.efi.signed

This way whenever grub-install is called, _grub_ is used instead of shim.

Unfortunately you have found a bug, which will be escalating to shim upstream.

Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu):
status: Triaged → Incomplete
Matthieu Clemenceau (mclemenceau)
tags: added: fr-1373
Revision history for this message
Kris Budde (kebkeb) wrote :

I tried "sudo mokutil --set-verbosity true"
but >"This system doesn't support Secure Boot".

description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@kebkeb you can download that efivariable as a file into the efivars dir. Or you need to compile the new mokutil that supports setting that on non-secureboot systems too.

See https://github.com/lcp/mokutil/commit/03bb7af4a84c39f2417fd14ef20b11b2e8d1ad51

Is this something you can compile yourself, or do you need me to provide you with an updated mokutil package?

Revision history for this message
Julian Andres Klode (juliank) wrote :

> I reinstalled Ubuntu 21.04 from scratch and updated all packages during installation.

If you were able to boot the install image, then this might not be a bug in shim, as the shim on the install image should not work either. Also we only download upgrades during install, but do not apply them, so you should end up with 15.4-0ubuntu1.

I'd like to see results for each of those versions of shim (

* hirsute 15.4-0ubuntu1
* hirsute-updates 15.4-0ubuntu2
* groovy-updates 15+1552672080.a4a1fbe-0ubuntu2

Note that you need to install shim-signed.

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1928434] Re: shim-signed does not boot on EFI 2.40 by Apple

On Mon, May 17, 2021 at 03:23:45PM -0000, Dimitri John Ledkov wrote:
> See
> https://github.com/lcp/mokutil/commit/03bb7af4a84c39f2417fd14ef20b11b2e8d1ad51

> Is this something you can compile yourself, or do you need me to provide
> you with an updated mokutil package?

I have provided a mokutil package with the fix here:

  https://launchpad.net/~vorlon/+archive/ubuntu/ppa

Please install it by running:

  sudo add-apt-repository ppa:vorlon/ppa
  sudo apt install mokutil

and then 'sudo mokutil --set-verbosity true' should work.

Revision history for this message
Kris Budde (kebkeb) wrote :

Hi,

thank you for the ppa. It was much easier this way.

After reinstalling shim and 'sudo mokutil --set-verbosity true' I got a blue screen (secure boot not enabled > ok) and afterwards three pages of logs.

I created a professional slow motion screen recording and extracted the pages. Not sure if it will help.

Revision history for this message
Kris Budde (kebkeb) wrote :
Revision history for this message
Kris Budde (kebkeb) wrote :
Revision history for this message
Kris Budde (kebkeb) wrote :
Revision history for this message
Julian Andres Klode (juliank) wrote :

The log shows us that in mirror_mok_db() the call to get_max_var_sz() in mok.c:366 was successful, so it must hang before line 424 where dprint() is called. Given 19304 < 0x4FDC, I assume the path in 373 is being taken, and the call to SetVariable() inside there is hanging in the firmware (despite the variable being 1140 bytes shorter than the maximum allowed).

Revision history for this message
Julian Andres Klode (juliank) wrote :

This is trying to mirror our insanely large MokListX to MokListXRT, which is so large due to COVID related travel restrictions preventing the generation of a new signing key, and having to revoke all binaries this way instead.

However, we do not actually need to mirror that list AFAIUI, because the kernel, which would consume the list, does not actually support revoking binaries by hash (and it can kexec kernels, but not the grubs we worry about).

On other platforms, this just causes a warning followed by a 10s wait.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Hi there, could you replace BOOTX64.EFI and shimx64.efi in your ESP with the shimx64.efi in?

http://ppa.launchpad.net/ubuntu-uefi-team/ppa/ubuntu/dists/impish/main/signed/shim-amd64/15.4-0ubuntu3~uefi2/signed.tar.gz

This makes the shim only mirror the actual MokListX, and not add the giant vendor DB to it, which should hopefully resolve your issue.

Revision history for this message
Julian Andres Klode (juliank) wrote :

(for clarification, I forgot to say that this is for testing purposes, trying to figure out if this resolves the issue)

Revision history for this message
Steve Langasek (vorlon) wrote :

Kris, we would appreciate if you could run the above test as requested by Julian and let us know if it boots on your system. We take boot regressions seriously and have put upgrades to 21.04 on hold for all users while this bug remains unresolved, but it's important to be able to close this bug out so that we can turn those upgrades back on. Once we have confirmation of a fixed shim, this will also need to publish this to all stable releases, because Microsoft has already issued revocations of our older shims. Thanks!

Revision history for this message
Kris Budde (kebkeb) wrote :

Hi Steve, Hi Julian,

I didn't realize how seriously this problem was taken and I was quite busy last week. Sorry for the delay.
I just tested it and it worked.

Only thing which might be worth to mention: I still have the logging enabled. And the blue screen with warning "secure boot not enabled" popped up twice. Not sure if this makes sense.

Revision history for this message
Steve Langasek (vorlon) wrote :

Thanks so much for the quick turnaround! We'll make sure this gets submitted to Microsoft for signing ASAP so we can get the fix into 21.04 for all users.

Changed in shim-signed (Ubuntu):
status: Incomplete → In Progress
Changed in shim (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Doug McDonald (dxm480) wrote :

Does this bug affect ppc64le? It currently prevents do-release-upgrade to 21.04 from 20.10.

Revision history for this message
Steve Langasek (vorlon) wrote :

On Fri, Jun 04, 2021 at 03:11:59AM -0000, Doug McDonald wrote:
> Does this bug affect ppc64le? It currently prevents do-release-upgrade
> to 21.04 from 20.10.

This bug does not affect ppc64el, but there is no interface for turning on
upgrades on a per-architecture basis.

However, a change has been made to ubuntu-release-upgrader that lets us
block upgrades only for Apple hardware, and upgrades have been turned on for
20.10 to 21.04. So I'm not sure why you say that it "currently prevents"
it.

Revision history for this message
Michael Paul McCaffery (mccaffm) wrote :

the change to ubuntu-release-upgrader seems to prevent me upgrading an old raspberry pi, so its not just apple

An upgrade is not possible at this time

Due to a bug in shim, LP: #1928434, upgrades are not currently safe
for your hardware.

Once that bug has been resolved you will be able to upgrade to the
next release of Ubuntu.

Revision history for this message
Doug McDonald (dxm480) wrote :

> However, a change has been made to ubuntu-release-upgrader that lets us
> block upgrades only for Apple hardware, and upgrades have been turned on for
> 20.10 to 21.04. So I'm not sure why you say that it "currently prevents"
> it.

What I meant by "[this bug] currently prevents do-release-upgrade to 21.04 from 20.10" is:

If, as I write this, on a (non-Apple) ppc64el platform running 20.10, one attempts to use "do-release-upgrade" to upgrade to 21.04, the upgrade will not proceed, and instead this message will appear:

> An upgrade is not possible at this time
>
> Due to a bug in shim, LP: #1928434, upgrades are not currently safe
> for your hardware.
>
> Once that bug has been resolved you will be able to upgrade to the
> next release of Ubuntu.
>
>
> Restoring original system state
>
> Aborting

Does that answer your question?

In case it helps:

1) the "shim" package is _not_ installed on this system (which I guess isn't surprising, given that it doesn't use any of EFI, UEFI, grub etc. to boot...)

2) I believe I have the latest version of ubuntu-release-upgrader, my system reports:

# ubuntu-release-upgrader-core is already the newest version (1:20.10.12)

Revision history for this message
Alyssa Rowan (akr) wrote :

That's because _test_and_fail_on_apple in DistUpgradeQuirks.py (see line 377) in the upgrader itself, is set to fail if vendor.startswith('Apple Inc.') OR if vendor is unknown i.e. /sys/class/dmi/id/sys_vendor is null (for example as it will be in WSL or just about any other system where DMI isn't implemented). Put a return after that and you should be able to force it (on your own risk).

Revision history for this message
Doug McDonald (dxm480) wrote :

oh sweet jesus python strikes again

let's make programming fun and accessible they said

logic and reason is so yesterday they said

Revision history for this message
Julian Andres Klode (juliank) wrote :

Please don't blame Python. This is by design, we should not upgrade Apple systems just because their dmi is broken.

Seems we forgot to check that we are booting on UEFI in the first place, though, but oh well, still a step up from nobody upgrading to most x86 'PC's upgrading.

Julian Andres Klode (juliank)
Changed in shim (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Doug McDonald (dxm480) wrote :

> This is by design, we should not upgrade Apple systems just because their dmi is broken.

Wait, what?

Can you not see the differences between "This", "we should not upgrade Apple systems just because their dmi is broken" and "Seems we forgot to check that we are booting on UEFI in the first place"?

I am lost :(

__________████████_____█████
_________█░░░░░░░░██_██░░░░░░█
________█░░░░░░░░░░░█░░░░░░░░░█
_______█░░░░░░░███░░░█░░░░░░░░░█
_______█░░░░███░░░███░█░░░████░█
______█░░░██░░░░░░░░███░██░░░░██
_____█░░░░░░░░░░░░░░░░░█░░░░░░░░███
____█░░░░░░░░░░░░░██████░░░░░████░░
____█░░░░░░░░░█████░░░████░░██░░██░░█
___██░░░░░░░███░░░░░░░░░░█░░░░░░░░███
__█░░░░░░░░░░░░░░█████████░░█████████
_█░░░░░░░░░░█████_████___████_█████___█
_█░░░░░░░░░░█______█_███__█_____███_█___█
█░░░░░░░░░░░░█___████_████____██_██████
░░░░░░░░░░░░░█████████░░░████████░░░█
░░░░░░░░░░░░░░░░█░░░░░█░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░██░░░░█░░░░░░██
░░░░░░░░░░░░░░░░░░██░░░░░░░███████
░░░░░░░░░░░░░░░░██░░░░░░░░░░█░░░░░█
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░░░░░░░░░█████████░░░░░░░░░░░░░░█
░░░░░░░░░░█▒▒▒▒▒▒▒▒███████████████▒▒█
░░░░░░░░░█▒▒███████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒█
░░░░░░░░░█▒▒▒▒▒▒▒▒▒████████████████
░░░░░░░░░░████████▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒█
░░░░░░░░░░░░░░░░░░█████████████████
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█
██░░░░░░░░░░░░░░░░░░░░░░░░░░░██
▓██░░░░░░░░░░░░░░░░░░░░░░░░█
▓▓▓███░░░░░░░░░░░░░░░░░░░░█
▓▓▓▓▓▓███░░░░░░░░░░░░░░░██
▓▓▓▓▓▓▓▓▓███████████████▓▓█
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓█
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓█

Revision history for this message
Julian Andres Klode (juliank) wrote :

Doug, I'm not sure how you get confused, or why you spam the bug tracker with ASCII art like this.

This = "vendor is apple OR can't read vendor" - the statement which caused the issue and which you blamed Python for for unknown reasons - was intentional, as I said. We explicitly discussed that and said that if the vendor is not readable, we should not upgrade either - it might be Apple after all.

What went wrong is that the code check was also applied to non-UEFI systems.

Revision history for this message
Virsacer (virsacer) wrote :

> What went wrong is that the code check was also applied to non-UEFI systems.

So, will the "Fix Committed" stop preventing upgrades on non-UEFI Raspberry Pi?

Revision history for this message
jorge (jorgemtds) wrote :

I have Ubuntu MATE 20.10 running on my Raspberry Pi 4 and I can't upgrade because of this bug as well.

I went to the file "DistUpgradeQuirks.py" (as mentioned above) and I can't see any "apple" string there to change and force the upgrade. I'm just stuck.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Please note that this bug is about the shim itself. Disabling upgrades is tracked in bug 1929449 which was obviously fixed, causing the regression of sorts and that regression is tracked in bug 1931112. The update for that regression is in the process of being released.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Changed in shim (Ubuntu):
status: Fix Committed → Fix Released
Julian Andres Klode (juliank)
tags: added: block-proposed
Julian Andres Klode (juliank)
tags: removed: block-proposed
Julian Andres Klode (juliank)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.48

---------------
shim-signed (1.48) impish; urgency=medium

  [ Dimitri John Ledkov ]
  * Ship externally signed shims in the source package, instead of
    detached signatures.

  [ Steve Langasek ]
  * Restore build-time 'cmp' check to assert that the output of sbattach
    matches the binary received from Microsoft.
  * Include external-$arch.p7c in the clean target.

  [ Julian Andres Klode ]
  * download-signed: Work around non-HTTP apt sources
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Tue, 22 Jun 2021 12:19:31 +0200

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Kris, or anyone else affected,

Accepted shim into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Changed in shim (Ubuntu Hirsute):
importance: Undecided → Critical
Changed in shim-signed (Ubuntu Hirsute):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.48 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Kris, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

The binaries are the same across all releases, and we got confirmation before pushing the SRU out that they fix the issue, so marking as verified.

tags: added: verification-doen-hirsute verification-done-xenial
removed: verification-needed-hirsute verification-needed-xenial
tags: added: verification-done-hirsute
removed: verification-doen-hirsute
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-xenial
removed: verification-done-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Kris, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
tags: added: block-proposed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Remarking xenial as done, got overridden by late shim-signed acceptance.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.48

---------------
shim-signed (1.48) impish; urgency=medium

  [ Dimitri John Ledkov ]
  * Ship externally signed shims in the source package, instead of
    detached signatures.

  [ Steve Langasek ]
  * Restore build-time 'cmp' check to assert that the output of sbattach
    matches the binary received from Microsoft.
  * Include external-$arch.p7c in the clean target.

  [ Julian Andres Klode ]
  * download-signed: Work around non-HTTP apt sources
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Tue, 22 Jun 2021 12:19:31 +0200

Changed in shim-signed (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Changed in shim (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Kris, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-xenial
removed: verification-done-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Kris, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Julian Andres Klode (juliank) wrote :

We verified them once, no need or ability to reverify those binaries across all releases on macs.

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial
Julian Andres Klode (juliank)
tags: removed: block-proposed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200

Changed in shim-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.10

---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium

  * Remove unnecessary efitools dependency that prevented build on arm64

shim-signed (1.37~18.04.9) bionic; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.50, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes on shim-signed package so that it cannot be
      removed by accident (LP: #1898729)
    - download-signed: Fetch signed artefacts from versioned URL instead
      of current/ symlink to work around caching (LP: #1936640)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)
  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.