FEDORA-2021-cab258a413 created by pjones a week ago for Fedora 34
testing stable
  • Update to shim 15.4
  • Support for revocations via the ".sbat" section and SBAT EFI variable
  • A new unit test framework and a bunch of unit tests
  • No external gnu-efi dependency
  • Better CI Resolves: CVE-2020-14372 Resolves: CVE-2020-25632 Resolves: CVE-2020-25647 Resolves: CVE-2020-27749 Resolves: CVE-2020-27779 Resolves: CVE-2021-20225 Resolves: CVE-2021-20233
  • Mark signed shim packages as protected in dnf. Resolves: #1874541
  • Conflict with older fwupd, but don't require it. Resolves: #1877751

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-cab258a413

This update has been submitted for testing by pjones.

a week ago

This update's test gating status has been changed to 'ignored'.

a week ago

This update's test gating status has been changed to 'waiting'.

a week ago

This update's test gating status has been changed to 'ignored'.

a week ago
User Icon chrismurphy provided feedback a week ago
karma
BZ#1874541 Please mark shim packages as protected packages with DNF
BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them

This update has been pushed to testing.

a week ago

This update can be pushed to stable now if the maintainer wishes

a week ago
User Icon atim provided feedback 6 days ago
karma
User Icon frantisekz commented & provided feedback 6 days ago
karma

Works just fine on GA-Z170-D3H with SB Enabled.

This update has been submitted for stable by bodhi.

6 days ago
karma
User Icon adamwill commented & provided feedback 5 days ago
karma

After updating my XPS 13 (9360) to current F34, with this shim, I cannot boot with Secure Boot enabled. The screen briefly shows

Bootloader has not verified loaded image.
System is compromised.  halting.

and then shuts down. This happens with any kernel I try to boot. Boot with SB disabled works fine. Boot with SB enabled was working fine until I updated. fwupdmgr update does not show any available firmware updates.

User Icon adamwill commented & provided feedback 5 days ago

Confirmed that after downgrading to shim-x86-15-8 I can boot with SB enabled.

I noticed that when doing so, something (shim?) briefly shows "Booting in insecure mode", though after boot, mokutil --sb-state shows SecureBoot enabled. Searching around for references on that, I found https://bugzilla.redhat.com/show_bug.cgi?id=1531961 , which claims that running mokutil --enable-validation would 'fix' it, though I can't find any explanation as to why. I ran that anyway, it asked for a password, I gave it one, it apparently completed OK.

System still does not boot with SB enabled and this shim, though. I don't know if it made the "Booting in insecure mode" message when booting with older shim go away yet (haven't checked, it's a lot of rebooting).

User Icon adamwill commented & provided feedback 5 days ago

So poking through the code a bit I suspect https://github.com/rhboot/shim/commit/65be3503 , a bit, because it's a commit between 15 and 15.4 that touches user_insecure_mode. Just on the face of it - I may be misunderstanding - it looks like it adds a function (import_one_mok_state) that's intended to be called one-by-one on a bunch of variables and import them one at a time, but it unconditionally does user_insecure_mode = 0; at the start, whether it's reading the variable that might set it to 1 or not. So even if it's momentarily set to 1 when the relevant variable (MokSBState) is read, won't it then get set straight back to 0 by reading the next variable? Note user_insecure_mode is declared extern in shim.h, which AIUI makes it something like a global variable, right?

Again, I may be missing something, but if so, the same may apply to ignore_db (set by MokDBState). It also is declared as extern and set unconditionally at the start of import_one_mok_state.

I'm going to test reverting that commit if possible...

User Icon adamwill commented & provided feedback 5 days ago

I filed https://github.com/rhboot/shim/pull/362 in case I'm right about the problem and the fix.

User Icon cserpentis commented & provided feedback 2 days ago
karma

works for me

User Icon decathorpe commented & provided feedback 2 days ago
karma

After installing this update, my XPS 13 won't boot unless I disable secure boot. Looks like it's the same issue @adamwill has.

User Icon geraldosimiao commented & provided feedback 2 days ago
karma

Works only if Secureboot is disabled, don't work if enabeld, so I'm reverting karma point.

BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them

Thinkpad T480s + UEFI + SecureBoot works fine

User Icon geraldosimiao commented & provided feedback 2 hours ago

After orientation from javierm I enabled validation on mokutil ( sudo mokutil --enable-validation ) and my system booted fine in SB.


Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
3 days
Dates
submitted
a week ago
in testing
a week ago
BZ#1874541 Please mark shim packages as protected packages with DNF
0
1
BZ#1877751 fwupd replacing dbxtool.x86_64 8-13.fc33
0
0
BZ#1938630 include new bootloaders on Fedora 34 install media so UEFI Secure Boot enabled systems can boot from them
0
1

Automated Test Results