Bug#990447: Similar problems
On 2/1/23 23:31, Pascal Hambourg wrote: On 02/02/2023 at 00:33, Phil Dibowitz wrote: And I've run `grub-install` with my EFI dir mounted. What's interesting is the version in EFI is different than the version staged by the package: ``` # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi 47979 918 /usr/lib/shim/shimx64.efi 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` You must compare with /usr/lib/shim/shimx64.efi.signed from shim-signed. Ah, thanks. At least I know I did the grub-install right: ``` $ sum /usr/lib/shim/shimx64.efi.signed /boot/EFI/EFI/debian/shimx64.efi 36147 913 /usr/lib/shim/shimx64.efi.signed 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` So I guess that means that the shimx64.efi that's distributed with shim-signed is, in fact, vulnerable, as proposed in the original bug. Any timeline on updating it? -- Phil Dibowitz p...@ipom.com Open Source software and tech docsInsanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind." - Dr. Seuss
Bug#990447: Similar problems
On 02/02/2023 at 00:33, Phil Dibowitz wrote: And I've run `grub-install` with my EFI dir mounted. What's interesting is the version in EFI is different than the version staged by the package: ``` # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi 47979 918 /usr/lib/shim/shimx64.efi 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` You must compare with /usr/lib/shim/shimx64.efi.signed from shim-signed.
Bug#990447: Similar problems
I'm also unable to update to the latest uefi-dbx:
```
$ fwupdmgr update
...
Blocked executable in the ESP, ensure grub and shim are up to date:
/boot/EFI/EFI/debian/shimx64.efi Authenticode checksum
[af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee767] is
present in dbx
```
I am on the latest shims though:
```
root@rider:/boot/EFI/EFI/debian# dpkg -l | awk '/ shim/ {print $1"
"$2"\t\t"$3}'
ii node-set-immediate-shim 2.0.0-2
ii shim-helpers-amd64-signed1+15.6+1
ii shim-signed:amd641.38+15.4-7
ii shim-signed-common 1.38+15.4-7
ii shim-unsigned15.7-1
```
And I've run `grub-install` with my EFI dir mounted. What's interesting
is the version in EFI is different than the version staged by the package:
```
# sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi
47979 918 /usr/lib/shim/shimx64.efi
36147 913 /boot/EFI/EFI/debian/shimx64.efi
```
I even explicitly ran it with `--uefi-secure-boot` to ensure it installs
the shim binary.
--
Phil Dibowitz p...@ipom.com
Open Source software and tech docsInsanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/
"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Seuss
