Ubuntu
shim-signed package

Backport shim 15+1533136590.3beb971-0ubuntu1 to all supported releases

  1. Trusty (14.04)
  2. Bug #1790724
Bug #1790724 reported by Mathieu Trudel-Lapierre
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
New
Undecided
Unassigned
Xenial
Fix Committed
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
New
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
All UEFI users.

[Test case]

Verify that LP: #1792575 in grub has been fixed first for the corresponding release.
== shim ==
1) Enable Secure Boot in firmware.
2) Update to new shim and shim-signed packages (shim 15+, shim-signed 1.37~)
3) Validate that the system still boots and validates the shim image as well as the grub binary.

== MokManager ==
0) Generate a new self-signed certificate. You can use "sudo update-secureboot-policy --new-mok" for that purpose, the DER file will be in /var/lib/shim-signed/mok.
1) Run 'sudo mokutil --enable-validation'
2) Follow prompts on screen to enable validation if applicable.
3) Run 'sudo mokutil --import <certificate.der>'
4) Follow the prompts on screen to import a new certificate.
5) Reboot
6) Follow prompts to import the new certificate and enable validation.
7) Validate that the system boots all the way to userland.
8) Verify that the certificate has been correctly imported, it should be listed in the output of 'sudo mokutil --list-enrolled'.

== mokutil ==
1) Run 'sudo mokutil --timeout 14' (or any other arbitrary value).
2) follow the steps for MokManager tests above.
3) Validate that the MokManager prompt happens and shows a timeout appropriate for the timeout value set using the mokutil command.

Also validate 'mokutil --timeout -1' works correctly, where the MokManager never times out.

[Regression potential]
Possible regressions might include failure to load shim or MokManager, or failure to validate an EFI binary (which usually translates in a Security Violation message. Any such issues should be investigated as possible regressions caused by this update.

---

Backport shim to all supported releases of Ubuntu.

Include mokutil changes to support new timeout feature.

See original description
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

shim and shim-signed 15 / 1.37 are already in Cosmic.

Changed in shim (Ubuntu Cosmic):
status: New → Fix Released
Changed in shim-signed (Ubuntu Cosmic):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Mathieu, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Steve Langasek (vorlon)
Changed in shim (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done for shim, shim-signed on bionic:

shim 15+1533136590.3beb971-0ubuntu1
shim-signed 1.37~18.04.1+15+1533136590.3beb971-0ubuntu1

System is booting as expected with the new shim, and mokutil allows for importing a certificate and enabling validation at the same time (or any multiple actions in MokManager).

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.1

---------------
shim-signed (1.37~18.04.1) bionic; urgency=medium

  * Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 04 Sep 2018 17:02:59 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

This SRU has been rolled back due to functional regressions that have been reported when chainloading from shim 15 to shim 13 in MAAS. Investigation is ongoing.

Changed in shim-signed (Ubuntu Bionic):
status: Fix Released → Fix Committed
tags: added: verification-failed verification-failed-bionic
removed: verification-done-bionic verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Regression reported: https://bugs.launchpad.net/maas/+bug/1711203

also reported: https://bugs.launchpad.net/bugs/1792564

Revision history for this message
Steve Langasek (vorlon) wrote :

sorry, https://bugs.launchpad.net/maas/+bug/1711203 is not the right bug for this regression.

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Not a regression in shim -- shim is doing what it should, but exposes an actual latent bug in the grub2 EFI patchset. This is still in progress.

Revision history for this message
Steve Langasek (vorlon) wrote :

Re-release of this SRU is currently blocked on resolution of LP: #1792575 in grub2.

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Mathieu, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-bionic
removed: verification-failed verification-failed-bionic
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done with shim 15+1533136590.3beb971-0ubuntu1 / shim-signed 1.37~18.04.2:

I have verified that the system boots correctly, can chainload to Windows 10, and that common tasks for mokutil (setting timeout, enrolling a key, toggling validation) are working as expected.

Marking verification-done.

description: updated
tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.2

---------------
shim-signed (1.37~18.04.2) bionic; urgency=medium

  * debian/control: add Breaks: grub-efi-amd64-signed (<< 1.93.7), as the new
    version of shim exercises a bug in relocation code for chainload that was
    fixed in that upload of grub, affecting Windows 7, Windows 10, and some
    netboot scenarios where chainloading is required. (LP: #1792575)

shim-signed (1.37~18.04.1) bionic; urgency=medium

  * Backport shim-signed 1.37 to Ubuntu 18.04. (LP: #1790724)

shim-signed (1.37) cosmic; urgency=medium

  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
  * debian/real-po: replace debian/po to make sure things are translatable
    via Launchpad.

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 28 Sep 2018 11:02:56 -0400

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Francis Ginther (fginther)
tags: added: id-5b36ccda18d5e26eda679909
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done on xenial:

ii shim 15+1533136590.3beb971-0ubuntu1
ii shim-signed 1.33.1~16.04.2+15+1533136590.3beb971-0ubuntu1

Verified that shim + shim-signed boot normally on a Xenial system. Timeout can be set (using a newer mokutil than is available on xenial), and certificates can be imported successfully.

tags: added: verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.2

---------------
shim-signed (1.33.1~16.04.2) xenial; urgency=medium

  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
    (LP: #1790724)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 05 Sep 2018 11:23:24 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Brian Murray (brian-murray)
Changed in shim (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in shim (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

this has been temporarily rolled back from xenial because of the need for a matching grub update first.

Changed in shim (Ubuntu Xenial):
status: Fix Released → In Progress
status: In Progress → Fix Committed
Changed in shim-signed (Ubuntu Xenial):
status: Fix Released → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

The blocking bug is LP: #1792575.

description: updated
tags: added: verification-failed-xenial
removed: verification-done-xenial
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-xenial
removed: verification-failed-xenial
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done on xenial:

ii shim 15+1533136590.3beb971-0ubuntu1
ii shim-signed 1.33.1~16.04.2+15+1533136590.3beb971-0ubuntu1

Verified that shim + shim-signed boot normally on a Xenial system. Timeout can be set (using a newer mokutil than is available on xenial), and certificates can be imported successfully.

tags: added: verification-done-xenial
removed: verification-needed verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hey! Is this a typo that the version number of shim-signed is 1.33.1~16.04.2+15+1533136590.3beb971-0ubuntu1 ? I'd expect it to be 16.04.3 instead of 16.04.2. Could you just please confirm that the right version was tested?

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

It is indeed a typo, I copy-pasted the previous comment about verification (since it was the exact same thing, but indeed verified with 1.33.1~16.04.3+15+1533136590.3beb971-0ubuntu1 which includes the added depends for grub2.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.3

---------------
shim-signed (1.33.1~16.04.3) xenial; urgency=medium

  * debian/control: Depends: on grub2 2.02~beta2-36ubuntu3.20 to ensure shim
    cannot be installed without the new grub2 version that fixes chainloading
    issues. (LP: #1792575)

shim-signed (1.33.1~16.04.2) xenial; urgency=medium

  * Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
    (LP: #1790724)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 11 Dec 2018 15:37:58 -0500

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.