Security update for shim
Announcement ID: | SUSE-SU-2023:2086-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves one vulnerability, contains two features and has 12 security fixes can now be installed.
Description:
This update for shim fixes the following issues:
-
Updated shim signature after shim 15.7 be signed back: signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
-
Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable the NX compatibility flag when using post-process-pe because grub2 is not ready. (bsc#1205588)
-
Enable the NX compatibility flag by default. (jsc#PED-127)
Update to 15.7 (bsc#1198458) (jsc#PED-127):
- Make SBAT variable payload introspectable
- Reference MokListRT instead of MokList
- Add a link to the test plan in the readme.
- [V3] Enable TDX measurement to RTMR register
- Discard load-options that start with a NUL
- Fixed load_cert_file bugs
- Add -malign-double to IA32 compiler flags
- pe: Fix image section entry-point validation
- make-archive: Build reproducible tarball
- mok: remove MokListTrusted from PCR 7
Other fixes:
-
Support enhance shim measurement to TD RTMR. (jsc#PED-1273)
-
shim-install: ensure grub.cfg created is not overwritten after installing grub related files
- Add logic to shim.spec to only set sbat policy when efivarfs is writeable. (bsc#1201066)
- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)
- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)
Update to 15.6 (bsc#1198458):
- MokManager: removed Locate graphic output protocol fail error message
- shim: implement SBAT verification for the shim_lock protocol
- post-process-pe: Fix a missing return code check
- Update github actions matrix to be more useful
- post-process-pe: Fix format string warnings on 32-bit platforms
- Allow MokListTrusted to be enabled by default
- Re-add ARM AArch64 support
- Use ASCII as fallback if Unicode Box Drawing characters fail
- make: don't treat cert.S specially
- shim: use SHIM_DEVEL_VERBOSE when built in devel mode
- Break out of the inner sbat loop if we find the entry.
- Support loading additional certificates
- Add support for NX (W^X) mitigations.
- Fix preserve_sbat_uefi_variable() logic
- SBAT Policy latest should be a one-shot
- pe: Fix a buffer overflow when SizeOfRawData > VirtualSize
- pe: Perform image verification earlier when loading grub
- Update advertised sbat generation number for shim
- Update SBAT generation requirements for 05/24/22
- Also avoid CVE-2022-28737 in verify_image() by @vathpela
Update to 15.5 (bsc#1198458):
- Broken ia32 relocs and an unimportant submodule change.
- mok: allocate MOK config table as BootServicesData
- Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)
- Relax the check for import_mok_state() (bsc#1185261)
- SBAT.md: trivial changes
- shim: another attempt to fix load options handling
- Add tests for our load options parsing.
- arm/aa64: fix the size of .rela* sections
- mok: fix potential buffer overrun in import_mok_state
- mok: relax the maximum variable size check
- Don't unhook ExitBootServices when EBS protection is disabled
- fallback: find_boot_option() needs to return the index for the boot entry in optnum
- httpboot: Ignore case when checking HTTP headers
- Fallback allocation errors
- shim: avoid BOOTx64.EFI in message on other architectures
- str: remove duplicate parameter check
- fallback: add compile option FALLBACK_NONINTERACTIVE
- Test mok mirror
- Modify sbat.md to help with readability.
- csv: detect end of csv file correctly
- Specify that the .sbat section is ASCII not UTF-8
- tests: add "include-fixed" GCC directory to include directories
- pe: simplify generate_hash()
- Don't make shim abort when TPM log event fails (RHBZ #2002265)
- Fallback to default loader if parsed one does not exist
- fallback: Fix for BootOrder crash when index returned
- Better console checks
- docs: update SBAT UEFI variable name
- Don't parse load options if invoked from removable media path
- fallback: fix fallback not passing arguments of the first boot option
- shim: Don't stop forever at "Secure Boot not enabled" notification
- Allocate mokvar table in runtime memory.
- Remove post-process-pe on 'make clean'
-
pe: missing perror argument
-
CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458)
-
Add mokutil command to post script for setting sbat policy to latest mode when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created. (bsc#1198458)
-
Updated vendor dbx binary and script (bsc#1198458)
-
Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
- Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
-
Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file which includes all .der for testing environment.
-
avoid buffer overflow when copying data to the MOK config table (bsc#1185232)
- Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)
- ignore the odd LoadOptions length (bsc#1185232)
- shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist
- relax the maximum variable size check for u-boot (bsc#1185621)
-
handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)
-
Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce the size of MokListXRT (bsc#1185261)
- Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2023-2086=1
-
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-2086=1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1
zypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2023-2086=1
-
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-2086=1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2023-2086=1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-2086=1
-
SUSE Enterprise Storage 7
zypper in -t patch SUSE-Storage-7-2023-2086=1
-
SUSE CaaS Platform 4.0
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
Package List:
-
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE Enterprise Storage 7 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
-
SUSE CaaS Platform 4.0 (x86_64)
- shim-debuginfo-15.7-150100.3.35.1
- shim-15.7-150100.3.35.1
- shim-debugsource-15.7-150100.3.35.1
References:
- https://www.suse.com/security/cve/CVE-2022-28737.html
- https://bugzilla.suse.com/show_bug.cgi?id=1185232
- https://bugzilla.suse.com/show_bug.cgi?id=1185261
- https://bugzilla.suse.com/show_bug.cgi?id=1185441
- https://bugzilla.suse.com/show_bug.cgi?id=1185621
- https://bugzilla.suse.com/show_bug.cgi?id=1187071
- https://bugzilla.suse.com/show_bug.cgi?id=1187260
- https://bugzilla.suse.com/show_bug.cgi?id=1193282
- https://bugzilla.suse.com/show_bug.cgi?id=1193315
- https://bugzilla.suse.com/show_bug.cgi?id=1198101
- https://bugzilla.suse.com/show_bug.cgi?id=1198458
- https://bugzilla.suse.com/show_bug.cgi?id=1201066
- https://bugzilla.suse.com/show_bug.cgi?id=1202120
- https://bugzilla.suse.com/show_bug.cgi?id=1205588
- https://jira.suse.com/browse/PED-127
- https://jira.suse.com/browse/PED-1273