This fixes several issues, most notably BZ#1955416 and CVE-2022-28737. Please test.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-98830efc68

This update has been submitted for testing by pjones.

6 months ago

This update's test gating status has been changed to 'ignored'.

6 months ago

pjones edited this update.

6 months ago

pjones edited this update.

New build(s):

  • shim-15.6-1

Karma has been reset.

6 months ago

This update has been submitted for testing by pjones.

6 months ago

rharwood edited this update.

6 months ago
User Icon rharwood commented & provided feedback 6 months ago
karma

Boots my SB vm.

BZ#1922565 EFI HTTP boot fails if the HTTP headers are lower case
karma

This update has been pushed to testing.

6 months ago

This update can be pushed to stable now if the maintainer wishes

6 months ago
User Icon pwhalen commented & provided feedback 6 months ago
karma

Fixed firmware updates with Secure Boot enabled, tested on the Lenovo T14s. Thanks!

BZ#2010595 Cannot install firmware if secureboot is enabled
BZ#2078114 Shim bug prevents firmware update in a ThinkPad firmware updates

This update has been submitted for stable by bodhi.

6 months ago
User Icon pbrobinson commented & provided feedback 6 months ago
karma

Worked with secure boot enabled on my Thinkpad X1gen9 for Fedora boot and applying UEFI Capsule Updates

BZ#1955416 Lenovo ThinkPad T490, unable to boot following clean install, stuck at splash screen
BZ#2010595 Cannot install firmware if secureboot is enabled
BZ#2029396 shimx64.efi does not boot into fwupdx64.efi
BZ#2078114 Shim bug prevents firmware update in a ThinkPad firmware updates

This update has been pushed to stable.

6 months ago
User Icon bojan commented & provided feedback 6 months ago

Just out of curiosity, this update is for F35 only, right? No other branches need it?

User Icon rharwood commented & provided feedback 6 months ago

pjones spoke to that in https://bugzilla.redhat.com/show_bug.cgi?id=1955416#c88:

f35, f36, and rawhide eventually all need the same build, so test with the one above, and I'll work with rel-eng on tagging when it's okay to do so.

Since this update is now stable, I imagine it will shortly be okay to do so if it's not already.

User Icon bojan commented & provided feedback 6 months ago
karma

Cool, thanks for the tip. Works on a couple of F36 machines here. A T450s (secure boot) and a noname PC.

User Icon pjones commented & provided feedback 6 months ago

This should go out in F36 and rawhide on the next updates push.

User Icon valdikss commented & provided feedback 6 months ago

This shim has a regression, it does not allow to work with third-party enrolled certificates or binary file hashes. It always shows security violation screen, regardless what is enrolled into moklist using mokmanager or efitools keytool.

This does not affect fedora-signed binaries like GRUB and possibly other bootloaders, but this functionality worked on a previous versions.

User Icon chrismurphy commented & provided feedback 6 months ago

@valdikss it really needs its own bug report, have you confirmed the problem definitely goes away if you replace/downgrade only /EFI/fedora/shim.efi and /EFI/fedora/shimx64.efi with the previous shim? If you can reproduce, you should give this update thumbs down karma. Thanks.

User Icon valdikss commented & provided feedback 6 months ago

@chrismurphy, sorry, my bad, this regression was introduced in the previous version, not in this. https://bugzilla.redhat.com/show_bug.cgi?id=2099380


Please login to add feedback.

Metadata
Type
security
Severity
low
Karma
5
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
6 months ago
in testing
6 months ago
in stable
6 months ago
modified
6 months ago
BZ#1922565 EFI HTTP boot fails if the HTTP headers are lower case
0
0
BZ#1955416 Lenovo ThinkPad T490, unable to boot following clean install, stuck at splash screen
0
1
BZ#2010595 Cannot install firmware if secureboot is enabled
0
2
BZ#2029396 shimx64.efi does not boot into fwupdx64.efi
0
1
BZ#2078114 Shim bug prevents firmware update in a ThinkPad firmware updates
0
2

Automated Test Results