stable

shim-fedora-20210331

FEDORA-2021-cab258a413 created by pjones 3 years ago for Fedora 34
  • Update to shim 15.4
  • Support for revocations via the ".sbat" section and SBAT EFI variable
  • A new unit test framework and a bunch of unit tests
  • No external gnu-efi dependency
  • Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233
  • Mark signed shim packages as protected in dnf. Resolves: #1874541
  • Conflict with older fwupd, but don't require it. Resolves: #1877751

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2021-cab258a413

This update has been submitted for testing by pjones.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago

This update's test gating status has been changed to 'waiting'.

3 years ago

This update's test gating status has been changed to 'ignored'.

3 years ago
karma
BZ#1874541 Please mark shim packages as protected packages with DNF
BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them

This update has been pushed to testing.

3 years ago

This update can be pushed to stable now if the maintainer wishes

3 years ago
User Icon atim provided feedback 3 years ago
karma
User Icon frantisekz commented & provided feedback 3 years ago
karma

Works just fine on GA-Z170-D3H with SB Enabled.

This update has been submitted for stable by bodhi.

3 years ago
karma
User Icon adamwill commented & provided feedback 3 years ago
karma

After updating my XPS 13 (9360) to current F34, with this shim, I cannot boot with Secure Boot enabled. The screen briefly shows

Bootloader has not verified loaded image.
System is compromised.  halting.

and then shuts down. This happens with any kernel I try to boot. Boot with SB disabled works fine. Boot with SB enabled was working fine until I updated. fwupdmgr update does not show any available firmware updates.

User Icon adamwill commented & provided feedback 3 years ago

Confirmed that after downgrading to shim-x86-15-8 I can boot with SB enabled.

I noticed that when doing so, something (shim?) briefly shows "Booting in insecure mode", though after boot, mokutil --sb-state shows SecureBoot enabled. Searching around for references on that, I found https://bugzilla.redhat.com/show_bug.cgi?id=1531961 , which claims that running mokutil --enable-validation would 'fix' it, though I can't find any explanation as to why. I ran that anyway, it asked for a password, I gave it one, it apparently completed OK.

System still does not boot with SB enabled and this shim, though. I don't know if it made the "Booting in insecure mode" message when booting with older shim go away yet (haven't checked, it's a lot of rebooting).

User Icon adamwill commented & provided feedback 3 years ago

So poking through the code a bit I suspect https://github.com/rhboot/shim/commit/65be3503 , a bit, because it's a commit between 15 and 15.4 that touches user_insecure_mode. Just on the face of it - I may be misunderstanding - it looks like it adds a function (import_one_mok_state) that's intended to be called one-by-one on a bunch of variables and import them one at a time, but it unconditionally does user_insecure_mode = 0; at the start, whether it's reading the variable that might set it to 1 or not. So even if it's momentarily set to 1 when the relevant variable (MokSBState) is read, won't it then get set straight back to 0 by reading the next variable? Note user_insecure_mode is declared extern in shim.h, which AIUI makes it something like a global variable, right?

Again, I may be missing something, but if so, the same may apply to ignore_db (set by MokDBState). It also is declared as extern and set unconditionally at the start of import_one_mok_state.

I'm going to test reverting that commit if possible...

User Icon adamwill commented & provided feedback 3 years ago

I filed https://github.com/rhboot/shim/pull/362 in case I'm right about the problem and the fix.

User Icon cserpentis commented & provided feedback 3 years ago
karma

works for me

User Icon decathorpe commented & provided feedback 3 years ago
karma

After installing this update, my XPS 13 won't boot unless I disable secure boot. Looks like it's the same issue @adamwill has.

User Icon geraldosimiao commented & provided feedback 3 years ago
karma

Works only if Secureboot is disabled, don't work if enabeld, so I'm reverting karma point.

BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them

Thinkpad T480s + UEFI + SecureBoot works fine

User Icon geraldosimiao commented & provided feedback 3 years ago

After orientation from javierm I enabled validation on mokutil ( sudo mokutil --enable-validation ) and my system booted fine in SB.

User Icon renault commented & provided feedback 3 years ago
karma

No regressions found

User Icon lruzicka commented & provided feedback 3 years ago
karma

Everything seems ok.

pbrobinson edited this update.

New build(s):

  • shim-15.4-4

Removed build(s):

  • shim-15.4-3

Karma has been reset.

3 years ago

This update has been submitted for testing by pbrobinson.

3 years ago

pbrobinson edited this update.

3 years ago

pbrobinson edited this update.

3 years ago

This update has been pushed to testing.

3 years ago
User Icon adamwill commented & provided feedback 3 years ago
karma

Can confirm the Dell developer edition issue is fixed, this version boots fine.

BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them

This update can be pushed to stable now if the maintainer wishes

3 years ago
User Icon frantisekz commented & provided feedback 3 years ago
karma

Works well on Skylake based desktop, Gigabyte GA-Z170-HD3 MB.

User Icon chrismurphy commented & provided feedback 3 years ago
karma

Apple Inc. MacBookPro8,2 HP Spectre Notebook Intel NUC5PPYB

BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them
BZ#1948432 efi: Failed to lookup EFI memory descriptor for 0x000000003a572000

This update has been submitted for stable by bodhi.

3 years ago
User Icon juml commented & provided feedback 3 years ago

Fedora33 may need update too?

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
3 days
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1592148 pxeboot shim crash using newer edk2 firmware
0
0
BZ#1651016 kexec/kdump kernel fails to load with EFI secure boot enabled
0
0
BZ#1874541 Please mark shim packages as protected packages with DNF
0
0
BZ#1877751 fwupd replacing dbxtool.x86_64 8-13.fc33
0
0
BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them
0
2
BZ#1948432 efi: Failed to lookup EFI memory descriptor for 0x000000003a572000
0
1

Automated Test Results