Public bug reported:
This is a meta-bug for backporting SecureBoot support from 13.10 for
12.04.4. To fully update the SecureBoot stack for 12.04.4 and fix a
number of outstanding bugs, we will have to update a number of packages:
- gnu-efi: update to upstream version 3.0u, so new upstream shim is buildable
in precise.
- sbsigntool: update the backport from 0.6-0ubuntu1 to 0.6-0ubuntu4, to
include various fixes so build-time validation of shim-signed is possible
(i.e., so recent shim-signed is buildable in precise).
- shim: binary-copy of 0.4-0ubuntu4 from saucy, so we don't have to round-trip
to Microsoft for a separate signature for each release of what should be
functionally the same program
- shim-signed: binary-copy of 1.4 from saucy (once shim 0.4-0ubuntu4 has been
signed by Microsoft)
We should also backport grub2 support for generating signed netboot
images, but this can be handled as a separate bug report.
[Impact]
A number of OEM devices that ship with Secure Boot enabled are reported to not
be able to boot 12.04.3, due to bugs in the pre-release version of shim
included in that point release. The only practical means of addressing this is
by updating the related packages to the current versions; cherry-picking
individual bugfixes is error-prone and time-consuming. This will pull in some
new features in addition to the bugfixes - such as netboot support - but this
is also justifiable from a hardware-enablement perspective in the LTS.
[Test Case]
1. Rebuild all reverse-dependencies of gnu-efi in precise: refit, efilinux,
elilo, shim, sbsigntool, and verify that they're buildable
2. Verify that the resulting shim binary build is functional by using it to
boot a UEFI machine with and without SecureBoot enabled
3. Rebuild shim-signed from precise against the new sbsigntool, and verify it
builds correctly
4. Rebuild shim-signed from precise-proposed against the new sbsigntool, and
verify that it also builds correctly
5. Install linux-signed-generic-lts-raring from precise-updates and verify that
it works with the new sbsigntool
6. Verify that linux-signed-lts-raring builds from source with the new
sbsigntool
[Regression Potential]
This is a significant update to bootloader code which carries risk of
regressing an unknown number of systems and rendering them unbootable. This
risk is mitigated by the fact that there have been no reports of regression
with the new version of shim in saucy, and the plan is to do a binary copy so
if it works in saucy it should work in precise. There have also been multiple
reports of machines successfully booting with shim 0.4 which failed with the
earlier versions, making this worth the risk.
** Affects: gnu-efi (Ubuntu)
Importance: Undecided
Status: New
** Affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
** Affects: shim (Ubuntu)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Affects: gnu-efi (Ubuntu Precise)
Importance: Undecided
Status: New
** Affects: sbsigntool (Ubuntu Precise)
Importance: Undecided
Status: New
** Affects: shim (Ubuntu Precise)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Precise)
Importance: Undecided
Status: New
** Affects: gnu-efi (Ubuntu Quantal)
Importance: Undecided
Status: New
** Affects: sbsigntool (Ubuntu Quantal)
Importance: Undecided
Status: New
** Affects: shim (Ubuntu Quantal)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Quantal)
Importance: Undecided
Status: New
** Affects: gnu-efi (Ubuntu Raring)
Importance: Undecided
Status: New
** Affects: sbsigntool (Ubuntu Raring)
Importance: Undecided
Status: New
** Affects: shim (Ubuntu Raring)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: gnu-efi (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: gnu-efi (Ubuntu Quantal)
Importance: Undecided
Status: New
** Also affects: gnu-efi (Ubuntu Raring)
Importance: Undecided
Status: New
** Also affects: sbsigntool (Ubuntu)
Importance: Undecided
Status: New
** Also affects: shim (Ubuntu)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1229572
Title:
backport SecureBoot support from 13.10 for 12.04.4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/1229572/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
