[Bug 2045552] Re: nullboot 0.5.0: shim 15.7-0ubuntu1 update
Hello Julian, or anyone else affected, Accepted nullboot into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/nullboot/0.5.0-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-jammy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: nullboot (Ubuntu Jammy) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045552 Title: nullboot 0.5.0: shim 15.7-0ubuntu1 update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/2045552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2045552] Re: nullboot 0.5.0: shim 15.7-0ubuntu1 update
It's not entirely clear to me what the scope of possible failures is here: * failure to boot is a pleasantly obvious failure mode, but is this influenced by user configuration, or does it booting *anywhere* mean it will boot *everywhere*? To the extent relevant here, being a regression, I don't see how it could fail to boot on some but not on others. The only user configuration you have is kernel commandline, if it boots with the old nullboot it boots with the new one. > * My understanding of the TPM stack is limited, but my understanding is that if it boots *at all* then it must have booted an expected image - is this correct, or should we also be testing that the update correctly *fails* to boot unexpected images? Well... it boots what it has sealed. But you could replace the image with a fresh one which hasn't been encrypted yet I suppose and that would boot. But you could not boot another encrypted fs. Trying to avoid image here. And to clarify: > Double check bios_measurements_log to ensure that the newly update shim was > used for boot > (https://github.com/canonical/tcglog-parser/tree/master/tcglog-dump can be > used to extract checksum of the shim binary used at boot and compared to the > one shipped in nullboot > From package contents I assume you'd be checking against the checksum of /usr/lib/nullboot/shim/shimx64.efi.signed, but what checksum algorithm? Whatever your tcglog says? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2045552 Title: nullboot 0.5.0: shim 15.7-0ubuntu1 update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nullboot/+bug/2045552/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs