shim 15.7-0ubuntu1

Bug #1996503 reported by Julian Andres Klode
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Committed
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
New upstream release; shim security update CVE-2022-28737

[Test plan]
https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

[Where problems could occur]
Machines could become unbootable due to bugs as usual.

Key rotations that require newer kernels can't enforce newer kernels being on the system prior to updates resulting in unbootable systems if kernels are not available.

Requires the grub2-unsigned >= 2.04-1ubuntu47.4, >= 2.06-2ubuntu10 to be
published to security and on each machine first too. Maybe should add Breaks to those (though you can set 'latest' policy and it would require upcoming grub uploads, so not _entirely_ useful).

Also breaks fwupd.

Related branches

CVE References

summary: - shim 15.6-0ubuntu1
+ shim 15.7-0ubuntu1
description: updated
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

I have verified so far:

1. shim -> grub -> shim -> grub netboot -> disk chainloading as MAAS does
2. fwupd on all releases in VM that it starts, and on real hardware updated my firwmare

Haven't tested mokutil yet, or chainloading to a different distro or windows.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted shim into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.52 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu):
status: New → Fix Released
Changed in shim (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.51.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.8 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim/15.7-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (shim-signed/1.51.1)

All autopkgtests for the newly accepted shim-signed (1.51.1) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

edk2/2022.02-3ubuntu0.22.04.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#shim-signed

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

tags: added: block-proposed-lunar
Changed in shim (Ubuntu):
status: Fix Released → Fix Committed
Changed in shim-signed (Ubuntu):
status: Fix Released → Fix Committed
Changed in shim (Ubuntu):
status: Fix Committed → In Progress
Changed in shim-signed (Ubuntu):
status: Fix Committed → In Progress
Revision history for this message
dann frazier (dannf) wrote :

Failing jammy verification due to bug 2004201

tags: added: verification-failed-jammy
removed: verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted shim-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.54 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Kinetic):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.51.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-jammy
removed: verification-failed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.40.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.13 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :

shim-signed 1.54 seems to cause autopkgtest regressions in lunar on arm64.

https://people.canonical.com/~ubuntu-archive/proposed-migration/update_excuses.html#shim-signed

From log:
Installing new version of config file /etc/kernel/postinst.d/zz-shim ...
update-alternatives: error: alternative link /usr/lib/shim/shimaa64.efi.signed is already managed by shimx64.efi.signed
dpkg: error processing package shim-signed (--configure):

Revision history for this message
Steve Langasek (vorlon) wrote : Re: [Bug 1996503] Re: shim 15.7-0ubuntu1

On Wed, Feb 01, 2023 at 01:10:46PM -0000, Gunnar Hjalmarsson wrote:
> shim-signed 1.54 seems to cause autopkgtest regressions in lunar on
> arm64.

This is caused by the bugs in 1.52 which was briefly in lunar release but
shouldn't have been, and 1.54 doesn't fix up the mess that 1.52 made. This
has been addressed by respinning the lunar/arm64 base images for
autopkgtest, so retrying all of these failed arm64 tests should now work.
(These retries are being scheduled centrally.)

Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote (last edit ):

Thanks Steve! I just submitted a retry of openjdk-8 with fontconfig as trigger (which is the reason I'm here...).

Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

verification done for kinetic in 1.54+15.7-0ubuntu1

tags: added: verification-done-kinetic
removed: verification-needed-kinetic
tags: added: block-proposed-kinetic
Revision history for this message
Julian Andres Klode (juliank) wrote :

verification done for jammy 1.51.3+15.7-0ubuntu1

tags: added: block-proposed-jammy verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Julian Andres Klode (juliank) wrote :

verification done for focal shim-signed (1.40.9+15.7-0ubuntu1).

tags: added: block-proposed-focal verification-done-focal
removed: verification-needed-focal
Revision history for this message
Julian Andres Klode (juliank) wrote :

verification done for bionic shim-signed (1.37~18.04.13+15.7-0ubuntu1)

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
tags: added: block-proposed-bionic
Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

All verifications done, but please note that releasing the shim is subject to kernels being available, otherwise we end up with unbootable images (as images are always built using the latest shim, not subject to the mitigation mechanism, as they don't pretend to be built in a securely booted environment while building).

Revision history for this message
Julian Andres Klode (juliank) wrote :

Removing blocks as the kernels have been released.

tags: removed: block-proposed-bionic block-proposed-focal block-proposed-jammy block-proposed-kinetic block-proposed-lunar
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for shim has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.51.3

---------------
shim-signed (1.51.3) jammy; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.51.1) jammy; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.9

---------------
shim-signed (1.40.9) focal; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.40.8) focal; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
tags: added: block-proposed-bionic block-proposed-focal block-proposed-jammy
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

All jammy kernels are signed with new keys and are in security pocket, or they have their own pinned copy of old shim.

Please resume phasing shim/shim-signed in jammy-updates.

block-proposed-jammy removed.

tags: removed: block-proposed-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu):
status: In Progress → Fix Released
dann frazier (dannf)
Changed in shim-signed (Ubuntu Focal):
status: Fix Released → Fix Committed
Changed in shim (Ubuntu Focal):
status: Fix Released → Fix Committed
tags: added: block-proposed-lunar
Steve Langasek (vorlon)
tags: added: block-proposed
Steve Langasek (vorlon)
Changed in shim (Ubuntu):
status: Fix Released → Fix Committed
Changed in shim-signed (Ubuntu):
status: Fix Released → Fix Committed
Changed in shim (Ubuntu):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
Changed in shim (Ubuntu):
status: Fix Released → Fix Committed
Steve Langasek (vorlon)
tags: removed: block-proposed
Changed in shim (Ubuntu):
status: Fix Committed → Fix Released
Steve Langasek (vorlon)
Changed in shim (Ubuntu):
status: Fix Released → Fix Committed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

All focal kernels are good, thus we can release this in focal.
Removing block-proposed-focal.

tags: removed: block-proposed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.9

---------------
shim-signed (1.40.9) focal; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.40.8) focal; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Removing block-proposed-lunar, all signed kernels are at v6.2 in lunar-release now.

tags: removed: block-proposed-lunar
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.54

---------------
shim-signed (1.54) kinetic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.52) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello! As we're working on getting bionic migrated to ESM (and closing the archive as part of the usual EOL), I noticed this upload still has 'block-proposed-bionic'. Is there any reason not to release this for bionic?

Revision history for this message
Julian Andres Klode (juliank) wrote :

We're waiting for kernels and the fwupd, fwupd-efi, fwupd-signed SRUs that have been stuck in signing for a couple months.

Revision history for this message
Steve Langasek (vorlon) wrote :

kernels, fwupdi-efi+fwupd-signed, and mokutil have all been released now to bionic. Removing the block-proposed-bionic tag and releasing these SRUs.

tags: removed: block-proposed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100

Changed in shim (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.13

---------------
shim-signed (1.37~18.04.13) bionic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.37~18.04.12) bionic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <email address hidden> Tue, 31 Jan 2023 12:57:37 +0100

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.