Launchpad itself

UEFI image signing

Bug #1016594 reported by Colin Watson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Colin Watson

Bug Description

As per https://lists.ubuntu.com/archives/ubuntu-devel/2012-June/035445.html, we need to implement support for publishing signed UEFI boot loaders. This will require:

 * installing Jeremy Kerr's sbsigntool utility on dogfood/staging?/production
 * generating a throwaway key for dogfood so that we can QA
 * installing the official Ubuntu UEFI signing key on production
 * landing a patch to add a new custom upload format, which is signed during publication

Given the value of signed UEFI images, we also want to ensure that uploads containing a UEFI image tarball are never auto-approved, but always require manual approval by an archive admin. (This approach has been agreed with the security team.)

Tags: qa-ok

Related branches

lp:~cjwatson/launchpad/custom-uefi
Brad Crittenden (community): Approve (code)
Diff: 1106 lines (+473/-95)
25 files modified
lib/lp/archivepublisher/config.py (+6/-1)
lib/lp/archivepublisher/customupload.py (+11/-3)
lib/lp/archivepublisher/ddtp_tarball.py (+16/-10)
lib/lp/archivepublisher/debian_installer.py (+11/-10)
lib/lp/archivepublisher/dist_upgrader.py (+13/-11)
lib/lp/archivepublisher/model/ftparchive.py (+5/-10)
lib/lp/archivepublisher/tests/test_config.py (+6/-0)
lib/lp/archivepublisher/tests/test_ddtp_tarball.py (+8/-1)
lib/lp/archivepublisher/tests/test_debian_installer.py (+8/-1)
lib/lp/archivepublisher/tests/test_dist_upgrader.py (+8/-1)
lib/lp/archivepublisher/tests/test_ftparchive.py (+1/-28)
lib/lp/archivepublisher/tests/test_generate_extra_overrides.py (+2/-7)
lib/lp/archivepublisher/tests/test_uefi.py (+132/-0)
lib/lp/archivepublisher/uefi.py (+141/-0)
lib/lp/archiveuploader/nascentuploadfile.py (+29/-0)
lib/lp/archiveuploader/tests/test_nascentuploadfile.py (+32/-2)
lib/lp/archiveuploader/uploadpolicy.py (+8/-0)
lib/lp/services/osutils.py (+4/-4)
lib/lp/soyuz/browser/queue.py (+2/-1)
lib/lp/soyuz/browser/tests/builder-views.txt (+1/-1)
lib/lp/soyuz/configure.zcml (+1/-0)
lib/lp/soyuz/enums.py (+6/-0)
lib/lp/soyuz/interfaces/queue.py (+4/-2)
lib/lp/soyuz/model/queue.py (+16/-2)
lib/lp/soyuz/scripts/custom_uploads_copier.py (+2/-0)
Colin Watson (cjwatson)
Changed in launchpad:
assignee: nobody → Colin Watson (cjwatson)
status: New → In Progress
Curtis Hovey (sinzui)
Changed in launchpad:
importance: Undecided → High
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r15547 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/15547>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Colin Watson (cjwatson) wrote :

Currently having some difficulty QAing this, as sbsign only handles amd64 images and dogfood only has an i386 builder attached right now.

Revision history for this message
Colin Watson (cjwatson) wrote :

I hacked around this by including an amd64 binary from production in the source package (since it wasn't the build process I needed to test). Once I got the details right, all looks good now.

tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
Revision history for this message
Maxim Kammerer (mkdesu) wrote :

@cjwatson: In case you are interested, I have added i386 support to sbsigntool, see the following patch:
https://github.com/mkdesu/liberte/blob/master/src/usr/local/portage/app-crypt/sbsigntool/files/sbsigntool-0.3-support-i386.patch

(also sent an email to jeremy Kerr)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.