Ubuntu
shim package

Don't unhook ExitBootServices() when EBS protection is disabled

Bug #1931136 reported by Julian Andres Klode
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
This is a regression in shim 15.4 that causes a crash in shim when chainbooting.

Also, the machine resets when you exit grub, rather than going back to the EFI shell when launched from it.

[Test plan]

Boot an Ubuntu hirsute image in Secure Boot mode. While this issue was originally seen while chainbooting in https://github.com/lxc/lxd/issues/8770 - it was shown to be also reproducible just by booting a hirsute instance.

[Where problems could occur]
In exiting shim, failure to boot, etc.

See original description
Julian Andres Klode (juliank)
Changed in shim (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Changed in shim (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted shim into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Hirsute):
status: New → Fix Committed
tags: added: verification-needed verification-needed-hirsute
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.48 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Brian Murray (brian-murray) wrote :

This is Fix Committed for xenial but I can't add a xenial task. :-(

Changed in shim-signed (Ubuntu):
status: New → Fix Committed
Revision history for this message
dann frazier (dannf) wrote :

I was able to reproduce this w/o any chainloading. Just booting a hirsute image in QEMU w/ SecureBoot enabled was enough. I verified that I'm still seeing this issue w/ the current hirsute cloud image:

BdsDxe: loading Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)
BdsDxe: starting Boot0001 "UEFI Misc Device" from PciRoot(0x0)/Pci(0x1,0x2)/Pci(0x0,0x0)
error: can't find command `hwmatch'.
EFI stub: UEFI Secure Boot is enabled.
!!!! X64 Exception Type - 06(#UD - Invalid Opcode) CPU Apic ID - 00000000 !!!!
RIP - 00000000000E0000, CS - 0000000000000038, RFLAGS - 0000000000210207
RAX - 000000007EFC5660, RCX - 000000007D18F898, RDX - 00000000000016D4
RBX - 000000007EFAFFB0, RSP - 000000007EFAFE98, RBP - 8000000000000001
RSI - 000000003DA5EC2D, RDI - 000000003FFFF1C4
R8 - 0000000000000028, R9 - 000000007E7AC267, R10 - 000000007EFAFF50
R11 - 0000000000000000, R12 - 0000000000000000, R13 - 000000007D18F898
R14 - 000000003DA58D0C, R15 - 000000007EFAFFA0
DS - 0000000000000030, ES - 0000000000000030, FS - 0000000000000030
GS - 0000000000000030, SS - 0000000000000030
CR0 - 0000000080010033, CR2 - 0000000000000000, CR3 - 000000007EC01000
CR4 - 0000000000000668, CR8 - 0000000000000000
DR0 - 0000000000000000, DR1 - 0000000000000000, DR2 - 0000000000000000
DR3 - 0000000000000000, DR6 - 00000000FFFF0FF0, DR7 - 0000000000000400
GDTR - 000000007E9EEA98 0000000000000047, LDTR - 0000000000000000
IDTR - 000000007E401018 0000000000000FFF, TR - 0000000000000000
FXSAVE_STATE - 000000007EFAFAF0
!!!! Can't find image information. !!!!

I then mounted the image externally, updating only shim-signed:

Unpacking shim-signed (1.48+15.4-0ubuntu5) over (1.47+15.4-0ubuntu2) ...
Setting up shim-signed (1.48+15.4-0ubuntu5) ..

After that, the image booted up fine.

description: updated
Revision history for this message
dann frazier (dannf) wrote :

From inside the properly booting hirsute instance mentioned in the prior comment:

ubuntu@ubuntu:~$ lsb_release -c
Codename: hirsute
ubuntu@ubuntu:~$ sudo mokutil --sb-state
SecureBoot enabled

tags: added: verification-done-hirsute
removed: verification-needed-hirsute
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.4-0ubuntu5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
dann frazier (dannf) wrote :

I'm not sure we've seen this problem with a xenial guest. However, I did regression test and verify that xenial guests still boot in secureboot mode w/ the shim-signed package in -proposed:

ubuntu@ubuntu:~$ dpkg -l | grep shim-signed
ii shim-signed 1.33.1~16.04.9+15.4-0ubuntu5
amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo mokutil --sb-state
SecureBoot enabled

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
dann frazier (dannf) wrote :

As with xenial (see Comment #11), my focal verification just shows that booting under SB still works:

ubuntu@dannf-shim-f:~$ dpkg-query -W shim-signed
shim-signed 1.40.5+15.4-0ubuntu5
ubuntu@dannf-shim-f:~$ sudo mokutil --sb-state
SecureBoot enabled

tags: added: verification-done-focal
removed: verification-needed-focal
tags: added: verification-done
removed: verification-needed
Julian Andres Klode (juliank)
Changed in shim-signed (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu5

---------------
shim (15.4-0ubuntu5) hirsute; urgency=medium

  * Rebuild in hirsute to get a more stable target to keep shim reproducible
    for a longer time.

shim (15.4-0ubuntu3) impish; urgency=medium

  [ Steve Langasek ]
  * Use -Zxz compression, for compatibility with dpkg in older releases.
    LP: #1925673

  [ Julian Andres Klode ]
  * Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
    is causing systems to run out of EFI storage space, or just hang up
    when trying to write it (LP: #1924605) (LP: #1928434)
  * Further relax the check for variable mirroring on non-secureboot systems
    avoiding boot failures on out of space conditons (pull request #372)

  [ Seth Forshee ]
  * Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136)
    (pull request #378)

 -- Julian Andres Klode <email address hidden> Wed, 16 Jun 2021 12:52:45 +0200

Changed in shim (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-focal
removed: verification-done verification-done-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
removed: verification-done-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

In lieu of other releases not being hirsute, I just did the "exit from grub returns to shell" test from inside the EFI shell with 15.4-0ubuntu7, which passed. I also accidentally did a MAAS-style PXE shim -> PXE grub -> ESP shim -> ESP grub chainboot which worked fine.

We are going to do more regression testing in bug 1921134, but this makes me confident that the patch for EBS handling is still correctly working :)

By virtue of binaries being identical, this verification applies to all releases.

tags: added: verification-done verification-done-bionic verification-done-focal verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-focal verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.6

---------------
shim-signed (1.40.6) focal; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)
  * download-signed: Fetch signed artefacts from versioned URL instead
    of current/ symlink to work around caching (LP: #1936640)

shim-signed (1.40.5) focal; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.48, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes and Protected: yes on shim-signed package
      so that it cannot be removed by accident (LP: #1898729)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:33:00 +0200

Changed in shim-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.4-0ubuntu7

---------------
shim (15.4-0ubuntu7) hirsute; urgency=medium

  * Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
  * Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
  * Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
  * mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200

Changed in shim (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.10

---------------
shim-signed (1.33.1~16.04.10) xenial; urgency=medium

  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

shim-signed (1.33.1~16.04.9) xenial; urgency=medium

  * Do not build a dual-signed shim (fixing regression from ~16.04.7), and
    disable verifying fbx64.efi and mmx64.efi certificates as xenial's
    sbverify is unable to (impish works fine)
  * Clean up debhelper log file accidentally imported into git during 16.04.7
    import.

shim-signed (1.33.1~16.04.8) xenial; urgency=medium

  * debian/*.postinst: Unconditionally call grub-install with
    --force-extra-removable, so that the \EFI\BOOT removable path as used in
    cloud images receives the updates. LP: #1930742.
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)

shim-signed (1.33.1~16.04.7) xenial; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Update packaging to pull fb and mm from shim-signed package as in
    later releases, dropping the runtime dependency on shim.
  * Add download-signed script from linux-signed package
  * Add a versioned dependency on the mokutil that introduces --timeout, and
    call mokutil --timeout -1 so that users don't end up with broken systems
    by missing MokManager on reboot after install. LP: #1856422.
  * Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
    to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
    grub-install present when we are installing new shim to the ESP.
  * Include reworked Makefile from devel to better assert the integrity of
    the executables.

 -- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.10

---------------
shim-signed (1.37~18.04.10) bionic; urgency=medium

  * Remove unnecessary efitools dependency that prevented build on arm64

shim-signed (1.37~18.04.9) bionic; urgency=medium

  * New upstream release 15.4. LP: #1921134
  * Synchronize packaging with 1.50, summary
    - Update packaging to pull fb and mm from shim-signed package as in
      later releases, dropping the runtime dependency on shim.
    - Add download-signed script from linux-signed package
    - Include reworked Makefile from devel to better assert the integrity of
      the executables.
    - Dual-signed shim
    - Set XB-Important: yes on shim-signed package so that it cannot be
      removed by accident (LP: #1898729)
    - download-signed: Fetch signed artefacts from versioned URL instead
      of current/ symlink to work around caching (LP: #1936640)
  * Update to shim 15.4-0ubuntu5:
    - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
      is causing systems to run out of EFI storage space, or just hang up
      when trying to write it (LP: #1924605) (LP: #1928434)
    - Further relax the check for variable mirroring on non-secureboot systems
      avoiding boot failures on out of space conditons (pull request #372)
    - Don't unhook ExitBootServices() when EBS protection is disabled
      (LP: #1931136) (pull request #378)
  * Update to shim 15.4-0ubuntu7:
    - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
    - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
    - Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
    - mok: relax the maximum variable size check (LP: #1934780) (PR #369)

 -- Julian Andres Klode <email address hidden> Mon, 19 Jul 2021 17:01:19 +0200

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.