ShimUpdateProcess

Revision 2 as of 2018-11-02 13:25:24

Clear message

What is shim?

Shim is the pre-bootloader that runs on UEFI systems, meant to be a bit of code signed by Microsoft, that embeds our own certificate (which signs our grub binaries), so that it can load the "real" bootloader: GRUB.

Shim is periodically updated in the current development release and backported to all supported releases. This simplifies maintainance given the security-sensitive nature of this software.

If you have questions, ask cyphermox.

How do I go about updating shim?

shim needs to be built separately in a PPA first (using an upstream release or a snapshot of the upstream tree, as appropriate), well-tested, and published alongside the shim-signed package.

  1. First, file a SRU bug, using the template below, for the new shim release. Make sure to have its bug number closed in the changelog of both the shim and shim-signed packages that will be uploaded.

  2. The ppa:canonical-foundations/shim PPA is used for this purpose. If necessary to update shim or coordinate complex updates, other packages are built in that PPA.

  3. Once built in the PPA and tested to a reasonable degree of certainty (see /TestPlan); a new signing request is done: file the request with the shim-review board:

  4. After the shim-review board has approved the submission; file a RT to have it submitted to Microsoft for the signing. Use the following template: 

to: ubuntu-platform@rt.canonical.com
cc: Steve Langasek <steve.langasek@canonical.com>
cc: Dann Frazier <dann.frazier@canonical.com>
cc: Patricia Gaughen <patricia.gaughen@canonical.com>  
cc: Brian Murray <brian.murray@canonical.com>       

Hi,

A new version of the UEFI SecureBoot shim has been prepared for upload
to <ubuntu release>, and needs to be submitted to Microsoft for signing.

Attached are the files /usr/lib/shim/shimx64.efi and
/usr/lib/shimaa64.efi from the shim
<version> package.

The package where these binaries originate are:

amd64: <url to the build, ie. https://launchpad.net/~canonical-foundations/+archive/ubuntu/shim/+build/15261659>
arm64: <url to the build, ie. https://launchpad.net/~canonical-foundations/+archive/ubuntu/shim/+build/15261660>

The files to be signed are contained within the packages as
/usr/lib/shim/shim*.efi, with the following sha256sum:

amd64: <sha256sum of the binary>
arm64: <sha256sum of the binary>
< any other architectures for which shim binaries need to be signed >

Please submit them to Microsoft for UEFI signing.

Thanks,

<attach the relevant .efi files>

  1. Once you have received the signed binaries back from Microsoft, update shim-signed with them.

    • If necessary, update the signing certificate from Microsoft, if they used a different one.

  2. Upload shim-signed to ppa:canonical-foundations/shim.

  3. Test once more.
    • Here we want to make sure the packages are updating fine, that any postinst scripts are running correctly in the variety of scenarios they should run in, and that you do get the right shim binary installed to the ESP when the package is installed. Do another round of smoke tests to make sure shim works.
  4. Make sure the shim in the package, as received from Microsoft, does work correctly. The Microsoft signtool utility is known to have the potential to modify the binary in a way that it will fail to boot.
    • Ensure the dependencies between the various affected packages
  5. If smoke testing all passes, you can go ahead and copy the packages to -proposed:

    1. Copy (with binary) the shim package.

    2. Copy the shim-signed package.
    3. Copy any other package that needs to go with them.

  6. Track down a SRU team member to look at the packages in the unapproved queue.

Bug template

[Impact]
Shim needs to be updated for the latest fixes, security fixes, and new features
introduced upstream (see below). Shim is kept in sync across supported releases
to avoid subtle policy differences between releases, and because any upload
requires a round-trip of signing at Microsoft, which makes individual uploads
time-consuming.

[Test case]
Test plan is at http://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

[Regression potential]
<describe what could possibly go wrong?>

---

Update shim in all supported releases of Ubuntu.

<describe upstream changes in the new shim>
<describe any other relevant information>