FEDORA-2021-c3d587d52c created by pjones 5 months ago for Fedora 33
testing
  • Update to shim 15.4
  • Support for revocations via the ".sbat" section and SBAT EFI variable
  • A new unit test framework and a bunch of unit tests
  • No external gnu-efi dependency
  • Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233
  • Mark signed shim packages as protected in dnf. Resolves: #1874541
  • Conflict with older fwupd, but don't require it. Resolves: #1877751

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c3d587d52c

This update has been submitted for testing by pjones.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago

This update has been pushed to testing.

5 months ago
User Icon bojan commented & provided feedback 5 months ago
karma

Works.

karma

This update can be pushed to stable now if the maintainer wishes

5 months ago
User Icon ersen provided feedback 5 months ago
karma

This update has been submitted for stable by bodhi.

5 months ago

This update has been unpushed.

adamwill edited this update.

5 months ago

This update has been submitted for testing by adamwill.

5 months ago

We should not push this stable without https://github.com/rhboot/shim/pull/362 .

This update has been pushed to testing.

5 months ago
User Icon decathorpe commented & provided feedback 5 months ago
karma

I'm getting this error with Secure Boot enabled on a Dell XPS 13 9370:

Bootloader has not verified loaded image.
System is compromised. halting

While sounding scary, it looks like this is a bug, and fixed by @adamwill 's pull request?

Still, this update makes my system not boot unless I disable secure boot, which kinda defeats the purpose of a security update.

@decathorpe note that, AIUI, the fact we're hitting this means SB was effectively not fully functional before - this seems to be how developer edition XPS systems ship (I didn't know about it either). SB is enabled in the firmware, but validation is disabled at the mok level, or something. We have to run a magic command to actually have SB working.

It is a bug that boot breaks in this config, though, and the fix is coming.

User Icon kparal commented & provided feedback 5 months ago
karma

my desktop (UEFI, no SB) still boots

pbrobinson edited this update.

5 months ago
User Icon andilinux commented & provided feedback 4 months ago
karma

works

User Icon andilinux commented & provided feedback 4 months ago
karma

no issues

User Icon adamwill commented & provided feedback 4 months ago

@pjones , could this be edited to include a newer build?


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
4
Signed
Content Type
RPM
Test Gating
Builds
1
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
5 months ago
in testing
5 months ago
modified
5 months ago
BZ#1592148 pxeboot shim crash using newer edk2 firmware
0
0

Automated Test Results