disabling MokListXRT vendor dbx addendum (Was: Re: Report of (additional) boot regression on MacBookPro14,3 with 15.4)

Julian Andres Klode julian.klode at canonical.com
Mon May 24 14:52:32 BST 2021 

On Fri, May 14, 2021 at 09:28:25AM -0700, Steve Langasek wrote:
> Hello,
> 
> We've just received in Ubuntu a report that shim 15.4 (with the added patch
> cherry-picked to solve the MokListRT issue) has regressed boot on a
> MacBookPro14,3.
> 
>   https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1928434
> 
> Is anyone else seeing this?  Do folks have access to (similar) Mac hardware
> to try to reproduce?  The relevant Ubuntu shim binary can be found in the
> package here:
> 
>   https://launchpad.net/ubuntu/+source/shim-signed/1.47/+build/21482148/+files/shim-signed_1.47+15.4-0ubuntu2_amd64.deb

We believe that this, and several other issues we are seeing, are caused
by our vendor dbx being 19 KB large. 

As such, we'd like to ship the attached patch to disable adding the
vendor dbx to MokListX when it is being mirrored to MokListXRT.

We do not believe that this is a security issue: The MokListXRT variable
is not used by our released kernels yet, and we can just bake the vendor
dbx into future kernels that do read MokListXRT and avoid passing it
through the limited storage space.

This should unblock MacBooks and the older ThinkPads which ran out of
storage space while trying to mirror the var :)

On a related note, we are also considering to disable mirroring entirely
when not booting securely, so we don't even try to write vars on
those MacBooks and X220 ThinkPads and such.

-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubuntu-no-addend-vendor-dbx.patch
Type: text/x-diff
Size: 1269 bytes
Desc: not available
URL: <http://lists.einval.com/pipermail/efi/attachments/20210524/fca616db/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.einval.com/pipermail/efi/attachments/20210524/fca616db/attachment.sig>

More information about the Efi mailing list