StarlingX

Debian: mokutil program is missing from ISO image

Bug #2002259 reported by Li Zhou
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Li Zhou

Bug Description

Brief Description
-----------------
Debian-based StarlingX installations are missing the mokutil program. It is not necessary for secure boot process, but it is an useful convenience utility for secure boot-related key enrollment operations.
Link to the package in question: https://packages.debian.org/bullseye/mokutil

Severity
--------
Major

Steps to Reproduce
------------------
Boot up the image and find no mokutil tool.

Expected Behavior
------------------
The moktuil tool is available

Actual Behavior
----------------
The moktuil tool isn't available

Reproducibility
---------------
Reproducible

System Configuration
--------------------
All

Branch/Pull Time/Commit
-----------------------

Last Pass
---------

Timestamp/Logs
--------------

Test Activity
-------------
Sanity

Workaround
----------

Li Zhou (lzhou2)
Changed in starlingx:
assignee: nobody → Li Zhou (lzhou2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/869533

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to root (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/root/+/869534

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kernel (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/kernel/+/870485

Ghada Khalil (gkhalil)
tags: added: stx.build stx.debian stx.tools
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/869533
Committed: https://opendev.org/starlingx/tools/commit/bb85f8348a46d348868e94205c1fd5c4d08752d6
Submitter: "Zuul (22348)"
Branch: master

commit bb85f8348a46d348868e94205c1fd5c4d08752d6
Author: Li Zhou <email address hidden>
Date: Fri Jan 6 16:53:38 2023 +0800

    Debian: add mokutil to downloader list

    Mokutil provides the means to enroll and erase the machine
    owner keys (MOK) stored in the database of shim.
    The mokutil tool is a convenience utility and we want to add it
    into the iso image.
    Here download mokutil package to prepare for the installation.

    Test Plan:
     The tests are done with all 3 commits for root/tools/kernel
     repos.
     PASS: build and install the iso image and boot up with secure boot
           enabled, run "sudo mokutil --sb-state", the result is:
           "SecureBoot enabled".
     PASS: run "sudo mokutil --import example.der";
           reboot the target;
           select to enroll the key in MOK manager before grub menu starts;
           check with "sudo mokutil --list-enrolled" to find the right key
           there after system boots up.
     PASS: above tests are done for both std and rt installations.

    This commit works together with below commits to add mokutil:
    https://review.opendev.org/c/starlingx/root/+/869534
    https://review.opendev.org/c/starlingx/kernel/+/870485

    Closes-Bug: 2002259

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: I287ca99797fb7ef6d3cb6ab10d738c7492b19f42

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kernel (master)

Reviewed: https://review.opendev.org/c/starlingx/kernel/+/870485
Committed: https://opendev.org/starlingx/kernel/commit/093e7940ff35b31b33e131a74058df0f9aa59b9d
Submitter: "Zuul (22348)"
Branch: master

commit 093e7940ff35b31b33e131a74058df0f9aa59b9d
Author: Li Zhou <email address hidden>
Date: Fri Jan 13 19:25:57 2023 +0800

    Debian: config: don't unset CONFIG_EFIVAR_FS

    When testing mokutil we found that import/delete functions don't
    work fine without efivarfs.
    The efivarfs at /sys/firmware/efi/efivars is a new way to access
    the efi-variables and it is better supported by efi tools than the
    old way /sys/firmware/efi/vars. So here compile the efivarfs as a
    module by default. This won't affect the old way.

    Test Plan:
     The tests are done with all 3 commits for root/tools/kernel
     repos.
     PASS: build and install the iso image and boot up with secure boot
           enabled, run "sudo mokutil --sb-state", the result is:
           "SecureBoot enabled".
     PASS: run "sudo mokutil --import example.der";
           reboot the target;
           select to enroll the key in MOK manager before grub menu starts;
           check with "sudo mokutil --list-enrolled" to find the right key
           there after system boots up.
     PASS: above tests are done for both std and rt installations.

    Depends-On: https://review.opendev.org/c/starlingx/tools/+/869533

    Partial-Bug: 2002259

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: I1cc818717cacd9546e3045840398589a84192d7d

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to root (master)

Reviewed: https://review.opendev.org/c/starlingx/root/+/869534
Committed: https://opendev.org/starlingx/root/commit/2bf25c429345b58c27a35c1195d2fe0739bef5e6
Submitter: "Zuul (22348)"
Branch: master

commit 2bf25c429345b58c27a35c1195d2fe0739bef5e6
Author: Li Zhou <email address hidden>
Date: Fri Jan 6 16:43:05 2023 +0800

    debian-image: add mokutil to iso image

    Mokutil provides the means to enroll and erase the machine
    owner keys (MOK) stored in the database of shim.
    The mokutil tool is a convenience utility and we want to add it
    into the iso image.

    Test Plan:
     The tests are done with all 3 commits for root/tools/kernel
     repos.
     PASS: build and install the iso image and boot up with secure boot
           enabled, run "sudo mokutil --sb-state", the result is:
           "SecureBoot enabled".
     PASS: run "sudo mokutil --import example.der";
           reboot the target;
           select to enroll the key in MOK manager before grub menu starts;
           check with "sudo mokutil --list-enrolled" to find the right key
           there after system boots up.
     PASS: above tests are done for both std and rt installations.

    Depends-On: https://review.opendev.org/c/starlingx/tools/+/869533

    Partial-Bug: 2002259

    Signed-off-by: Li Zhou <email address hidden>
    Change-Id: Ic460eaa07955cf63162d0b5236a4bf99b3a2492b

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.8.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.