Ubuntu
linux-bluefield package

Check if secure boot is enabled with development keys

Bug #1948434 reported by Shravan Kumar Ramani
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-bluefield (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Medium
Shravan Kumar Ramani

Bug Description

SRU Justification:

[Impact]
Currently, there is no indication from mlx-bootctl when the user reads the lifecycle_state sysfs as to whether secure boot is enabled with development keys or production keys. In order to make this clear to the user, add a check in the driver.

[Fix]
Check the secure boot development mode status bit. If secure boot is enabled with the development key, then print it to the output buffer when lifecycle_state_show() is invoked.

[Test Case]
On a system in secure state, if it has been programmed with development keys, then reading the lifecycle_state sysfs entry in the mlx-bootctl driver should print a message that indicates the same.
Similarly, a secure system which has been programmed with production keys must print the appropriate message when the lifecycle_state sysfs is read.

[Regression Potential]
Can be considered minimum.

Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Focal):
assignee: nobody → Shravan Kumar Ramani (sramani)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-bluefield (Ubuntu):
status: New → Invalid
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1022.25 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Shravan Kumar Ramani (sramani)
tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.5 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1022.25

---------------
linux-bluefield (5.4.0-1022.25) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1022.25 -proposed tracker (LP: #1949817)

  * Add RevID field to VPD info in EEPROM (LP: #1948436)
    - SAUCE: mlx-bootctl: Add RevID field to VPD info

  * Check if secure boot is enabled with development keys (LP: #1948434)
    - SAUCE: mlx-bootctl: Check secure boot development mode status bit

  [ Ubuntu: 5.4.0-91.102 ]

  * focal/linux: 5.4.0-91.102 -proposed tracker (LP: #1949840)
  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)
  * KVM emulation failure when booting into VM crash kernel with multiple CPUs
    (LP: #1948862)
    - KVM: x86: Properly reset MMU context at vCPU RESET/INIT
  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt
  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()
  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc
  * ACL updates on OCFS2 are not revalidated (LP: #1947161)
    - ocfs2: fix remounting needed after setfacl command
  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1
  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"
  * Reassign I/O Path of ConnectX-5 Port 1 before Port 2 causes NULL dereference
    (LP: #1943464)
    - s390/pci: fix leak of PCI device structure
    - s390/pci: fix use after free of zpci_dev
    - s390/pci: fix zpci_zdev_put() on reserve
  * [SRU][F] USB: serial: pl2303: add support for PL2303HXN (LP: #1948377)
    - USB: serial: pl2303: add support for PL2303HXN
    - USB: serial: pl2303: fix line-speed handling on newer chips
  * Focal update: v5.4.151 upstream stable release (LP: #1947888)
    - tty: Fix out-of-bound vmalloc access in imageblit
    - cpufreq: schedutil: Use kobject release() method to free sugov_tunables
    - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
    - usb: cdns3: fix race condition before setting doorbell
    - fs-verity: fix signed integer overflow with i_size near S64_MAX
    - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - scsi: ufs: Fix illegal offset in UPIU event trace
    - mac80211: fix use-after-free in CCMP/GCMP RX
    - x86/kvmclock: Move this_cpu_pvti into kvmclock.h
    - drm/amd/display: Pass PCI deviceid into DC
    - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
    - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enf...

Changed in linux-bluefield (Ubuntu Focal):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.