diff options
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch | 42 | ||||
| -rw-r--r-- | debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch | 47 | ||||
| -rw-r--r-- | debian/patches/series | 2 |
4 files changed, 95 insertions, 1 deletions
diff --git a/debian/changelog b/debian/changelog index 768c5540..8f0d7025 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,13 +3,16 @@ shim (15.8-1) UNRELEASED; urgency=medium [ Steve McIntyre ] * Cope with changes in pesign packaging. * New upstream release fixing more bugs - * Remove all our existing patches, no longer needed: + * Remove all our previous patches, no longer needed: + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now upstream) + Enable-NX.patch (we don't want NX just yet until the whole boot stack is NX-capable) + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT is 4) + * Cherry-pick 2 new patches from upstream for grub revocations: + + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch + + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch * NOTE: Stop building for i386 + Debian kernels are no longer signed for i386, it's time to stop supporting i386 SB. diff --git a/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch new file mode 100644 index 00000000..25977c16 --- /dev/null +++ b/debian/patches/0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch @@ -0,0 +1,42 @@ +From 63edf92f8ae11b884bc7d24aecb8229cbc4ae014 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Fri, 5 Apr 2024 21:57:07 +0200 +Subject: [PATCH 1/2] sbat: Add grub.peimage,2 to latest (CVE-2024-2312) + +Add the previous latest level to the switch for automatic. + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +--- + include/sbat_var_defs.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h +index f8cba029..04d708f2 100644 +--- a/include/sbat_var_defs.h ++++ b/include/sbat_var_defs.h +@@ -47,6 +47,8 @@ + #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\n" + #elif SBAT_AUTOMATIC_DATE == 2023012900 + #define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n" ++#elif SBAT_AUTOMATIC_DATE == 2024010900 ++#define SBAT_VAR_AUTOMATIC_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" + #else + #error "Unknown SBAT_AUTOMATIC_DATE" + #endif /* SBAT_AUTOMATIC_DATE == */ +@@ -56,10 +58,10 @@ + SBAT_VAR_AUTOMATIC_REVOCATIONS + + /* +- * Revocations for January 2024 shim CVEs ++ * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 + */ +-#define SBAT_VAR_LATEST_DATE "2024010900" +-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\n" ++#define SBAT_VAR_LATEST_DATE "2024040500" ++#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" + #define SBAT_VAR_LATEST \ + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ + SBAT_VAR_LATEST_REVOCATIONS +-- +2.39.2 + diff --git a/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch new file mode 100644 index 00000000..f1c3028d --- /dev/null +++ b/debian/patches/0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch @@ -0,0 +1,47 @@ +From 3e1394e8e6fd0071a69196230f991612a960c154 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Tue, 9 Apr 2024 18:55:12 +0200 +Subject: [PATCH 2/2] sbat: Also bump latest for grub,4 (and to todays date) + +Back in January we decided to bump the SBAT level for the shim +CVE without bumping the grub level for the previous NTFS issues +- CVE-2023-4692 CVE-2023-4693 - as not every vendor was signing +the ntfs module. + +Catch up on this revocation to ensure it doesn't get lost. Doing +so also allows us to remove the grub.debian,4 revocation as this +happened before grub,4 and hence is obsolete. + +Also bump the date of the sbat variable to today's. Don't copy +the April 5 one to a previous selection, as it wasn't shipped +to anyone. + +Signed-off-by: Julian Andres Klode <julian.klode@canonical.com> +--- + include/sbat_var_defs.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h +index 04d708f2..5c7115b9 100644 +--- a/include/sbat_var_defs.h ++++ b/include/sbat_var_defs.h +@@ -58,10 +58,13 @@ + SBAT_VAR_AUTOMATIC_REVOCATIONS + + /* +- * Revocations for January 2024 shim CVEs + Debian/Ubuntu (peimage) CVE-2024-2312 ++ * Revocations for: ++ * - January 2024 shim CVEs ++ * - October 2023 grub CVEs ++ * - Debian/Ubuntu (peimage) CVE-2024-2312 + */ +-#define SBAT_VAR_LATEST_DATE "2024040500" +-#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,3\ngrub.debian,4\ngrub.peimage,2\n" ++#define SBAT_VAR_LATEST_DATE "2024040900" ++#define SBAT_VAR_LATEST_REVOCATIONS "shim,4\ngrub,4\ngrub.peimage,2\n" + #define SBAT_VAR_LATEST \ + SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \ + SBAT_VAR_LATEST_REVOCATIONS +-- +2.39.2 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000..01fd2987 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch +0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch |