[SRU] Enforce using signed kernels and modules on UEFI
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dkms (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
efibootmgr (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
efivar (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
grub2 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
grub2-signed (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Unassigned | ||
Wily |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
mokutil (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
shim (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Precise |
Won't Fix
|
Undecided
|
Unassigned | ||
Trusty |
New
|
Undecided
|
Unassigned | ||
Wily |
New
|
Undecided
|
Unassigned | ||
Xenial |
New
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
Fix Released
|
High
|
Mathieu Trudel-Lapierre | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Rationale]
Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.
[Impact]
All our users booting in UEFI; on all supported releases.
[Test cases]
https:/
Test cases here are separated by the components that need to be changed:
= mokutil =
Adding a MOK key:
1) Install system
2) Run 'mokutil --import <file.der>' to import a signing certificate.
3) On reboot; validate MOK prompts for new MOK key to add.
Toggling Secure Boot state:
1) Install system
2) mokutil --enable-validation or mokutil --disable-
3) Validate that on reboot MOK prompts to change Secure Boot state.
Listing keys:
1) mokutil --list-enrolled
-- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot.
= efivar =
libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing.
1) Run efibootmgr -v ; verify it lists BootEntries.
2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\
= shim-signed =
1) Install system; upgrade to new packages
1b) Verify /proc/sys/
1c) Verify /proc/sys/
2) Run 'sudo update-
3) Run 'sudo update-
4) Reboot; follow MOK steps to disable Secure Boot.
4b) Verify /proc/sys/
4c) Verify /proc/sys/
5) Run 'sudo update-
6) Reboot; follow MOK steps to re-enable Secure Boot.
6b) Verify /proc/sys/
6c) Verify /proc/sys/
= grub2 =
Booting signed kernels:
1) Try to boot a custom kernel
2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)
Prompting on upgrade:
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot'
2) Upgrade to the new grub2 package (you may need to download the updated package beforehand)
3) Validate that grub2 prompts you to disable shim validation.
= dkms =
Prompting for dkms on install:
1) Install r8168-dkms
2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts.
Prompting for dkms on upgrade
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot'
2) Upgrade to the new dkms package (you may need to download the updated package beforehand)
3) Validate that dkms prompts you to disable shim validation.
= shim =
Booting:
-> Validate that it allows booting grubx64.efi signed with the old key.
-> Validate that it allows booting grubx64.efi signed with the new key.
Validation toggle:
0) Boot the system; verify if /sys/firmware/
If MokSBStateRT is preset:
1) sudo mokutil --enable-validation && sudo reboot
2) Validate that Mok asks you if you want to enable validation
Otherwise:
1) sudo mokutil --disable-
2) Validate that Mok asks you if you want to disable validation
Finally:
3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present.
4) Run mokutil again to toggle validation back to its former state.
[Regression Potential]
Issues to watch out for:
- (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_
- (dkms, on new shim) prompting unnecessarily if validation is already disabled
- (grub) not prompting on upgrade ...
- (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release.
- (grub, on new shim) prompting unecessarily ...
- (shim) failing to boot on some firmware that doesn't correctly follow specification
- (shim) failing to load a properly-signed grub
- (shim) accepting to load a badly-signed grub
Changed in efivar (Ubuntu Wily): | |
status: | New → Fix Released |
Changed in efivar (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in efivar (Ubuntu Yakkety): | |
status: | New → Fix Released |
Changed in dkms (Ubuntu Xenial): | |
status: | New → Fix Released |
no longer affects: | dkms (Ubuntu Yakkety) |
no longer affects: | efivar (Ubuntu Yakkety) |
no longer affects: | grub2 (Ubuntu Yakkety) |
no longer affects: | grub2-signed (Ubuntu Yakkety) |
no longer affects: | mokutil (Ubuntu Yakkety) |
no longer affects: | shim (Ubuntu Yakkety) |
Changed in mokutil (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in mokutil (Ubuntu): | |
status: | New → Fix Released |
Changed in dkms (Ubuntu): | |
status: | New → Fix Released |
Changed in efivar (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in shim-signed (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
importance: | Undecided → High |
status: | New → Fix Released |
Changed in efibootmgr (Ubuntu): | |
status: | New → Fix Released |
Changed in efibootmgr (Ubuntu Xenial): | |
status: | New → Fix Released |
Changed in efibootmgr (Ubuntu Wily): | |
status: | New → Fix Released |
Changed in efivar (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Changed in shim-signed (Ubuntu Wily): | |
status: | New → In Progress |
Changed in shim-signed (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in shim-signed (Ubuntu Precise): | |
status: | New → In Progress |
description: | updated |
Changed in grub2 (Ubuntu Trusty): | |
status: | Fix Committed → Invalid |
Changed in grub2-signed (Ubuntu Trusty): | |
status: | Fix Committed → Invalid |
Changed in grub2-signed (Ubuntu Precise): | |
status: | New → Invalid |
Changed in grub2 (Ubuntu Precise): | |
status: | New → Invalid |
tags: | removed: verification-failed |
tags: | removed: verification-done-precise |
tags: |
added: verification-done removed: verification-needed |
Changed in efivar (Ubuntu Trusty): | |
status: | Fix Released → Invalid |
This also needs a mokutil update, as the version in >=14.04 will not work correctly with *-lts* kernels.