[SRU] Enforce using signed kernels and modules on UEFI

Bug #1574727 reported by Mathieu Trudel-Lapierre on 2016-04-25
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkms (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
efibootmgr (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
efivar (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
grub2 (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
grub2-signed (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
mokutil (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
shim (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
shim-signed (Ubuntu)
High
Mathieu Trudel-Lapierre
Precise
Undecided
Unassigned
Trusty
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[Rationale]
Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.

[Impact]
All our users booting in UEFI; on all supported releases.

[Test cases]
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

Test cases here are separated by the components that need to be changed:

= mokutil =

Adding a MOK key:
1) Install system
2) Run 'mokutil --import <file.der>' to import a signing certificate.
3) On reboot; validate MOK prompts for new MOK key to add.

Toggling Secure Boot state:
1) Install system
2) mokutil --enable-validation or mokutil --disable-validation
3) Validate that on reboot MOK prompts to change Secure Boot state.

Listing keys:
1) mokutil --list-enrolled
-- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot.

= efivar =

libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing.

1) Run efibootmgr -v ; verify it lists BootEntries.
2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu.

= shim-signed =

1) Install system; upgrade to new packages
1b) Verify /proc/sys/kernel/secure_boot shows 1.
1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable Secure Boot if it's not already disabled.
3) Run 'sudo update-secureboot-policy'; validate you are not prompted again to disable Secure Boot.
4) Reboot; follow MOK steps to disable Secure Boot.
4b) Verify /proc/sys/kernel/secure_boot shows 1.
4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to enable Secure Boot.
6) Reboot; follow MOK steps to re-enable Secure Boot.
6b) Verify /proc/sys/kernel/secure_boot shows 1.
6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

= grub2 =

Booting signed kernels:
1) Try to boot a custom kernel
2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)

Prompting on upgrade:
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot'
2) Upgrade to the new grub2 package (you may need to download the updated package beforehand)
3) Validate that grub2 prompts you to disable shim validation.

= dkms =

Prompting for dkms on install:
1) Install r8168-dkms
2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts.

Prompting for dkms on upgrade
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot'
2) Upgrade to the new dkms package (you may need to download the updated package beforehand)
3) Validate that dkms prompts you to disable shim validation.

= shim =

Booting:
-> Validate that it allows booting grubx64.efi signed with the old key.
-> Validate that it allows booting grubx64.efi signed with the new key.

Validation toggle:
0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present;
If MokSBStateRT is preset:
1) sudo mokutil --enable-validation && sudo reboot
2) Validate that Mok asks you if you want to enable validation
Otherwise:
1) sudo mokutil --disable-validation && sudo reboot
2) Validate that Mok asks you if you want to disable validation
Finally:
3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present.
4) Run mokutil again to toggle validation back to its former state.

[Regression Potential]
Issues to watch out for:
- (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_secureboot seen and set to false)
- (dkms, on new shim) prompting unnecessarily if validation is already disabled
- (grub) not prompting on upgrade ...
- (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release.
- (grub, on new shim) prompting unecessarily ...
- (shim) failing to boot on some firmware that doesn't correctly follow specification
- (shim) failing to load a properly-signed grub
- (shim) accepting to load a badly-signed grub

This also needs a mokutil update, as the version in >=14.04 will not work correctly with *-lts* kernels.

That should have read, any version of mokutil below 0.3.0-0ubuntu3~ will not work correctly with lts kernels on the LTS releases.

Changed in efivar (Ubuntu Wily):
status: New → Fix Released
Changed in efivar (Ubuntu Xenial):
status: New → Fix Released
Changed in efivar (Ubuntu Yakkety):
status: New → Fix Released
Changed in dkms (Ubuntu Xenial):
status: New → Fix Released
no longer affects: dkms (Ubuntu Yakkety)
no longer affects: efivar (Ubuntu Yakkety)
no longer affects: grub2 (Ubuntu Yakkety)
no longer affects: grub2-signed (Ubuntu Yakkety)
no longer affects: mokutil (Ubuntu Yakkety)
no longer affects: shim (Ubuntu Yakkety)
Changed in mokutil (Ubuntu Xenial):
status: New → Fix Released
Changed in mokutil (Ubuntu):
status: New → Fix Released
Changed in dkms (Ubuntu):
status: New → Fix Released
Steve Langasek (vorlon) on 2016-04-26
Changed in efivar (Ubuntu Trusty):
status: New → Fix Committed

Hello Mathieu, or anyone else affected,

Accepted mokutil into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in mokutil (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed
Changed in mokutil (Ubuntu Wily):
status: New → Fix Committed
Chris J Arges (arges) wrote :

Hello Mathieu, or anyone else affected,

Accepted mokutil into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~15.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
importance: Undecided → High
status: New → Fix Released
Andy Whitcroft (apw) wrote :

For completeness the kernel side of this is being tracked under bug #1566221.

Changed in efibootmgr (Ubuntu):
status: New → Fix Released
Changed in efibootmgr (Ubuntu Xenial):
status: New → Fix Released
Changed in efibootmgr (Ubuntu Wily):
status: New → Fix Released
Chris J Arges (arges) wrote :

Hello Mathieu, or anyone else affected,

Accepted efibootmgr into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efibootmgr/0.12-4ubuntu1~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in efibootmgr (Ubuntu Precise):
status: New → Fix Committed
Changed in efibootmgr (Ubuntu Trusty):
status: New → Fix Committed
Chris J Arges (arges) wrote :

Hello Mathieu, or anyone else affected,

Accepted efibootmgr into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efibootmgr/0.12-4ubuntu1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Accepted mokutil into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~12.04.1 in a few hours, and then in the -proposed repository.

Changed in mokutil (Ubuntu Precise):
status: New → Fix Committed
Steve Langasek (vorlon) wrote :

This efibootmgr upload to precise and trusty is not required; it was only included because of a Breaks: from libefivar0 to older versions of efibootmgr, but in 14.04 and older, efibootmgr does not depend on libefivar0 at all so there is no runtime incompatibility.

The efivar in trusty should be adjusted to drop the versioned Breaks: on efibootmgr; and I will remove the efibootmgr uploads from trusty-proposed and precise-proposed.

Changed in efibootmgr (Ubuntu Precise):
status: Fix Committed → Invalid
Changed in efibootmgr (Ubuntu Trusty):
status: Fix Committed → Invalid
Steve Langasek (vorlon) wrote :

New upload required for efivar in trusty, to drop the spurious Breaks:.

Changed in efivar (Ubuntu Trusty):
status: Fix Committed → In Progress
Steve Langasek (vorlon) wrote :

Accepted efivar into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efivar/0.21-1~12.04.1 in a few hours, and then in the -proposed repository.

Changed in efivar (Ubuntu Precise):
status: New → Fix Committed
Steve Langasek (vorlon) on 2016-06-01
Changed in efivar (Ubuntu Trusty):
status: In Progress → Fix Committed
Chris J Arges (arges) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.14~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Xenial):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted dkms into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Xenial):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.66.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1

---------------
grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium

  * debian/postinst.in: replace setup_mok_validation with a call to
    update-secureboot-policy, a script shipped by shim-signed.
    (LP: #1574727)
  * debian/control: drop Depends on mokutil, we're not calling it directly.

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 20 May 2016 15:04:00 -0400

Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.66.1

---------------
grub2-signed (1.66.1) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 12 May 2016 09:46:16 -0400

Changed in grub2-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Meh, I meant to release grub2{,-signed} for trusty, fat-fingered this. I removed the copy into -updates, as this is premature.

Changed in grub2 (Ubuntu Xenial):
status: Fix Released → Fix Committed
Changed in grub2-signed (Ubuntu Xenial):
status: Fix Released → Fix Committed
Changed in shim-signed (Ubuntu Wily):
status: New → In Progress
Changed in shim-signed (Ubuntu Trusty):
status: New → In Progress
Changed in shim-signed (Ubuntu Precise):
status: New → In Progress
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.15~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

precise:
- verified efivar & sbsigntool
- verified mokutil

Verification passes for these SRUs.

tags: added: verification-done-precise
description: updated
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.15~15.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Wily):
status: In Progress → Fix Committed
Changed in dkms (Ubuntu Wily):
status: New → Fix Committed
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted dkms into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu6.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.15~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: In Progress → Fix Committed
Changed in dkms (Ubuntu Trusty):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted dkms into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-1.1ubuntu5.14.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2 (Ubuntu Trusty):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.9 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Trusty):
status: New → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Precise):
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.15~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of grub2 from xenial-proposed was performed and bug 1596133 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1596133 (not this bug). Thanks!

tags: added: verification-failed

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily-proposed was performed and bug 1596230 was found. Please investigate that bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1596230 (not this bug). Thanks!

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily-proposed was performed and bug 1596230 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1596230 (not this bug). Thanks!

tags: added: verification-failed

Hello Mathieu, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
Martin Pitt (pitti) wrote :

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.12 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Having reviewed and discussed the changes to grub in the SRU queue, I have concluded that the grub2 SRU is both insufficient (because upgrade ordering does not ensure that the update-secureboot-policy command is available when grub is upgraded) and unnecessary (because shim-signed should apply the policy itself, so grub doesn't need to).

I am rejecting / removing the grub2 and grub2-signed SRUs for this. shim-signed needs a reupload, so that it directly calls update-secureboot-policy in postinst on upgrade - not just when triggered by another package.

Later, when we are changing grub to refuse to boot kernels whose signature doesn't verify, we will need to ensure that an appropriate version of shim-signed is installed first. But that should be done with a Breaks against older versions of shim, not with conditional postinst logic.

Changed in grub2-signed (Ubuntu Wily):
status: New → Invalid
Steve Langasek (vorlon) wrote :

xenial still needs an SRU to drop the previous setup_mok_validation code (but not add update-secureboot-policy).

Changed in grub2-signed (Ubuntu Xenial):
status: Fix Committed → In Progress
Changed in grub2 (Ubuntu Wily):
status: New → Invalid
Changed in grub2 (Ubuntu Xenial):
status: Fix Committed → In Progress
Steve Langasek (vorlon) on 2016-06-28
Changed in grub2 (Ubuntu Trusty):
status: Fix Committed → Invalid
Steve Langasek (vorlon) on 2016-06-28
Changed in grub2-signed (Ubuntu Trusty):
status: Fix Committed → Invalid

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily-proposed was performed and bug 1596230 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1596230 (not this bug). Thanks!

tags: added: verification-failed
Steve Langasek (vorlon) on 2016-06-28
Changed in grub2-signed (Ubuntu Precise):
status: New → Invalid
Changed in grub2 (Ubuntu Precise):
status: New → Invalid

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.16~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.16~15.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.16~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.16~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of grub2 from xenial-proposed was performed and bug 1596133 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1596133 (not this bug). Thanks!

tags: added: verification-failed
Steve Langasek (vorlon) on 2016-06-30
tags: removed: verification-failed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~12.04.1

---------------
mokutil (0.3.0-0ubuntu3~12.04.1) precise; urgency=medium

  * Backport to precise: (LP: #1574727)
    - debian/patches/precise-gcc-options.patch: drop to building against the
      gnu99 standard, rather than gnu11.

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Apr 2016 10:54:07 -0400

Changed in mokutil (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package efivar - 0.21-1~12.04.1

---------------
efivar (0.21-1~12.04.1) precise; urgency=medium

  * Backport efivar to 12.04; to support mokutil. (LP: #1574727)
    - debian/patches/port-nvme-support.patch: define the NVME ID IOCTL (only
      required to successfully build on precise).
    - debian/patches/port-char16_t-support.patch: provide a char16_t type
      without depending on new unicode in C11, gcc 4.4 already has the
      CHAR16_TYPE we need to provide the feature.
    - debian/patches/precise-gcc-options.patch: Drop -std=gnu11 to -std=gnu99,
      and -Wmaybe-uninitialized completely.
  * debian/control: remove spurious Breaks for efibootmgr; the efibootmgr in
    12.04 does not have a runtime dependency on libefivar0 so no Breaks is
    needed.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 02 Nov 2015 16:08:16 -0600

Changed in efivar (Ubuntu Precise):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) on 2016-06-30
tags: removed: verification-done-precise
tags: added: verification-done
removed: verification-needed
Steve Langasek (vorlon) wrote :

There are about 10 packages being SRUed here, and no information given in the preceding tag change about what testing has been done. So I have my doubts that this tag really means all the SRUs have been verified for all releases :) Resetting.

tags: added: verification-needed
removed: verification-done

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from trusty-proposed was performed and bug 1599051 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1599051 (not this bug). Thanks!

tags: added: verification-failed

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.17~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: removed: verification-failed
Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.17~15.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.17~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Steve Langasek (vorlon) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.17~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Verification-done for TRUSTY: efivar, mokutil, dkms, shim-signed all found to be working at expected. Test cases pass.

tags: added: verification-done-trusty

Verification-done for WILY: mokutil, dkms, shim-signed all found to be working as expected. Test cases pass.

Verification done for XENIAL: grub2-signed, dkms, shim-signed all found to be working as expected. Test cases pass. As previously discussed, the grub2-signed update is not especially useful in itself and does need to drop the calls to mokutil, but will need a further SRU to remove calling update-secureboot-policy later.

tags: added: verification-done-wily
tags: added: verification-done-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~14.04.1

---------------
mokutil (0.3.0-0ubuntu3~14.04.1) trusty; urgency=medium

  * Backport mokutil to trusty. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Apr 2016 10:59:59 -0400

Changed in mokutil (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.6

---------------
dkms (2.2.0.3-1.1ubuntu5.14.04.6) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy,
    which has the benefit of being handled via triggers, to allow users to
    toggle validation in shim. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 20 May 2016 14:46:26 -0400

Changed in dkms (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.17~14.04.1

---------------
shim-signed (1.17~14.04.1) trusty; urgency=medium

  * Backport shim-signed 1.17 to 14.04. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 07 Jul 2016 20:17:24 -0400

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~15.10.1

---------------
mokutil (0.3.0-0ubuntu3~15.10.1) wily; urgency=medium

  * Backport mokutil to wily. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Apr 2016 11:04:30 -0400

Changed in mokutil (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu6.2

---------------
dkms (2.2.0.3-2ubuntu6.2) wily; urgency=medium

  * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy,
    which has the benefit of being handled via triggers, to allow users to
    toggle validation in shim. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 20 May 2016 14:46:26 -0400

Changed in dkms (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.17~15.10.1

---------------
shim-signed (1.17~15.10.1) wily; urgency=medium

  * Backport shim-signed 1.17 to 15.10. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 07 Jul 2016 20:17:24 -0400

Changed in shim-signed (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.17~16.04.1

---------------
shim-signed (1.17~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.17 to 16.04. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 07 Jul 2016 20:17:24 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1

---------------
grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium

  * debian/postinst.in: replace setup_mok_validation with a call to
    update-secureboot-policy, a script shipped by shim-signed.
    (LP: #1574727)
  * debian/control: drop Depends on mokutil, we're not calling it directly.

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 20 May 2016 15:04:00 -0400

Changed in grub2 (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.66.1

---------------
grub2-signed (1.66.1) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 12 May 2016 09:46:16 -0400

Changed in grub2-signed (Ubuntu Xenial):
status: In Progress → Fix Released

efivar for trusty ended up not being needed.

Changed in efivar (Ubuntu Trusty):
status: Fix Committed → Fix Released
Steve Langasek (vorlon) on 2016-09-09
Changed in efivar (Ubuntu Trusty):
status: Fix Released → Invalid

Verification-successful for shim-signed on precise --- all that is required is there: the update-secureboot-policy script does what it should and is run as expected.

However, it looks like MokManager.efi (which isn't something coming from shim-signed) isn't installed on the system under /boot/efi/EFI/ubuntu. This isn't a regression since it does not appear that it was ever automatically installed. Still, this breaks the workflow of toggling shim validation, so it must be fixed ASAP.

tags: added: verification-done-precise
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.18~12.04.1

---------------
shim-signed (1.18~12.04.1) precise; urgency=medium

  * update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is
    present, prefer this unconditionally over MokSBStateRT. LP: #1604873.

 -- Steve Langasek <email address hidden> Wed, 20 Jul 2016 16:22:42 -0700

Changed in shim-signed (Ubuntu Precise):
status: Fix Committed → Fix Released

The update of shim, grub, mokutil and others to use signed kernels and modules are mostly done; one further step that needs to happen is to have grub enforce that kernels are properly signed, and refuse to load unsigned kernels (rather than falling back from the linuxefi module which checks signatures, to linux which doesn't).

In the interest of clarity, I'll close the tasks here as Invalid for what is left as "New", and we'll move this "last step" to bug 1401532 which is clearly about this issue.

Changed in grub2-signed (Ubuntu):
status: New → Invalid
Changed in grub2 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers