shim 15.7-0ubuntu1

I have verified so far:

1. shim -> grub -> shim -> grub netboot -> disk chainloading as MAAS does
2. fwupd on all releases in VM that it starts, and on real hardware updated my firwmare

Haven't tested mokutil yet, or chainloading to a different distro or windows.

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Hello Julian, or anyone else affected,

Accepted shim into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.52 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.51.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted shim-signed (1.51.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

edk2/2022.02-3ubuntu0.22.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#shim-signed

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Failing jammy verification due to bug 2004201

Hello Julian, or anyone else affected,

Accepted shim-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.54 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.51.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.13 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

shim-signed 1.54 seems to cause autopkgtest regressions in lunar on arm64.

https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#shim-signed

From log:
Installing new version of config file /etc/kernel/postinst.d/zz-shim ...
update-alternatives: error: alternative link /usr/lib/shim/shimaa64.efi.signed is already managed by shimx64.efi.signed
dpkg: error processing package shim-signed (--configure):

On Wed, Feb 01, 2023 at 01:10:46PM -0000, Gunnar Hjalmarsson wrote:
> shim-signed 1.54 seems to cause autopkgtest regressions in lunar on
> arm64.

This is caused by the bugs in 1.52 which was briefly in lunar release but
shouldn't have been, and 1.54 doesn't fix up the mess that 1.52 made. This
has been addressed by respinning the lunar/arm64 base images for
autopkgtest, so retrying all of these failed arm64 tests should now work.
(These retries are being scheduled centrally.)

Thanks Steve! I just submitted a retry of openjdk-8 with fontconfig as trigger (which is the reason I'm here...).

verification done for kinetic in 1.54+15.7-0ubuntu1

verification done for jammy 1.51.3+15.7-0ubuntu1

verification done for focal shim-signed (1.40.9+15.7-0ubuntu1).

verification done for bionic shim-signed (1.37~18.04.13+15.7-0ubuntu1)

All verifications done, but please note that releasing the shim is subject to kernels being available, otherwise we end up with unbootable images (as images are always built using the latest shim, not subject to the mitigation mechanism, as they don't pretend to be built in a securely booted environment while building).

Removing blocks as the kernels have been released.

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

This bug was fixed in the package shim-signed - 1.51.3

---------------
shim-signed (1.51.3) jammy; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.51.1) jammy; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

This bug was fixed in the package shim-signed - 1.40.9

---------------
shim-signed (1.40.9) focal; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.40.8) focal; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

All jammy kernels are signed with new keys and are in security pocket, or they have their own pinned copy of old shim.

Please resume phasing shim/shim-signed in jammy-updates.

block-proposed-jammy removed.

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

All focal kernels are good, thus we can release this in focal.
Removing block-proposed-focal.

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

This bug was fixed in the package shim-signed - 1.40.9

---------------
shim-signed (1.40.9) focal; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.40.8) focal; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Removing block-proposed-lunar, all signed kernels are at v6.2 in lunar-release now.

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Hello! As we're working on getting bionic migrated to ESM (and closing the archive as part of the usual EOL), I noticed this upload still has 'block-proposed-bionic'. Is there any reason not to release this for bionic?

We're waiting for kernels and the fwupd, fwupd-efi, fwupd-signed SRUs that have been stuck in signing for a couple months.

kernels, fwupdi-efi+fwupd-signed, and mokutil have all been released now to bionic. Removing the block-proposed-bionic tag and releasing these SRUs.

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

This bug was fixed in the package shim-signed - 1.37~18.04.13

---------------
shim-signed (1.37~18.04.13) bionic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.37~18.04.12) bionic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100