Bug#990447: Similar problems
On 2/1/23 23:31, Pascal Hambourg wrote: On 02/02/2023 at 00:33, Phil Dibowitz wrote: And I've run `grub-install` with my EFI dir mounted. What's interesting is the version in EFI is different than the version staged by the package: ``` # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi 47979 918 /usr/lib/shim/shimx64.efi 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` You must compare with /usr/lib/shim/shimx64.efi.signed from shim-signed. Ah, thanks. At least I know I did the grub-install right: ``` $ sum /usr/lib/shim/shimx64.efi.signed /boot/EFI/EFI/debian/shimx64.efi 36147 913 /usr/lib/shim/shimx64.efi.signed 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` So I guess that means that the shimx64.efi that's distributed with shim-signed is, in fact, vulnerable, as proposed in the original bug. Any timeline on updating it? -- Phil Dibowitz p...@ipom.com Open Source software and tech docsInsanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind." - Dr. Seuss
Bug#990447: Similar problems
On 02/02/2023 at 00:33, Phil Dibowitz wrote: And I've run `grub-install` with my EFI dir mounted. What's interesting is the version in EFI is different than the version staged by the package: ``` # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi 47979 918 /usr/lib/shim/shimx64.efi 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` You must compare with /usr/lib/shim/shimx64.efi.signed from shim-signed.
Bug#990447: Similar problems
I'm also unable to update to the latest uefi-dbx: ``` $ fwupdmgr update ... Blocked executable in the ESP, ensure grub and shim are up to date: /boot/EFI/EFI/debian/shimx64.efi Authenticode checksum [af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee767] is present in dbx ``` I am on the latest shims though: ``` root@rider:/boot/EFI/EFI/debian# dpkg -l | awk '/ shim/ {print $1" "$2"\t\t"$3}' ii node-set-immediate-shim 2.0.0-2 ii shim-helpers-amd64-signed1+15.6+1 ii shim-signed:amd641.38+15.4-7 ii shim-signed-common 1.38+15.4-7 ii shim-unsigned15.7-1 ``` And I've run `grub-install` with my EFI dir mounted. What's interesting is the version in EFI is different than the version staged by the package: ``` # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi 47979 918 /usr/lib/shim/shimx64.efi 36147 913 /boot/EFI/EFI/debian/shimx64.efi ``` I even explicitly ran it with `--uefi-secure-boot` to ensure it installs the shim binary. -- Phil Dibowitz p...@ipom.com Open Source software and tech docsInsanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/ "Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind." - Dr. Seuss