linux and linux-signed may becomes skewed due to loose dependancy (was Secure boot signature verification of linux kernel is failing with today's images)

Bug #1201444 reported by Para Siva on 2013-07-15
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux-signed (Ubuntu)
Critical
Andy Whitcroft
Precise
Undecided
Unassigned
Quantal
Medium
Andy Whitcroft
Raring
Medium
Unassigned
Saucy
Critical
Andy Whitcroft
linux-signed-lts-quantal (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
linux-signed-lts-raring (Ubuntu)
Undecided
Unassigned
Precise
Medium
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
linux-signed-lts-saucy (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Unassigned
Quantal
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned

Bug Description

Secure boot signature verification of linux kernel (3.10.0-2-generic #11) is failing with today's images (20130715) against the keys present in http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/files/head:/notes_testing/secure-boot/keys/

The test_efi_secure_boot_signatures test in static validation test, present in http://bazaar.launchpad.net/~utah/utah/dev/view/head:/utah/isotest/iso_static_validation.py accounts for this test and the failure is as follows,
--------------------------------------------------------------------------------
__main__.TestValidateISO.test_efi_secure_boot_signatures

--------------------------------------------------------------------------------
DEBUG: Using iso at: /tmp/utah-saucy-desktop-amd64.iso
INFO: Preparing image: /tmp/utah-saucy-desktop-amd64.iso
INFO: /tmp/utah-saucy-desktop-amd64.iso is locally available as /tmp/utah-saucy-desktop-amd64.iso
INFO: Getting image type of /tmp/utah-saucy-desktop-amd64.iso
DEBUG: bsdtar list command: bsdtar -t -f /tmp/utah-saucy-desktop-amd64.iso
INFO: Image type is: desktop
DEBUG: Using normal image
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-desktop-amd64.iso ./.disk/info
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-desktop-amd64.iso -O .disk/info
INFO: Arch is: amd64
INFO: Series is saucy
DEBUG: Standard name for this iso is: saucy-desktop-amd64.iso
DEBUG: Generating verification certificates
DEBUG: Extracting UEFI boot and kernel images
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-desktop-amd64.iso ./EFI/BOOT/BOOTx64.EFI
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-desktop-amd64.iso -O EFI/BOOT/BOOTx64.EFI
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-desktop-amd64.iso ./EFI/BOOT/grubx64.efi
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-desktop-amd64.iso -O EFI/BOOT/grubx64.efi
DEBUG: bsdtar list command: bsdtar -t -v -f /tmp/utah-saucy-desktop-amd64.iso casper/vmlinuz.efi
DEBUG: bsdtar extract command: bsdtar -x -f /tmp/utah-saucy-desktop-amd64.iso -O casper/vmlinuz.efi
DEBUG: Verifying UEFI shim
DEBUG: Verifying UEFI grub
DEBUG: Detaching kernel signature
DEBUG: Verifying kernel signature
ERROR: test_efi_secure_boot_signatures (__main__.TestValidateISO)
ERROR: Traceback (most recent call last):
  File "/usr/lib/python2.7/unittest/case.py", line 327, in run
    testMethod()
  File "/usr/share/utah/isotest/iso_static_validation.py", line 505, in test_efi_secure_boot_signatures
    self.assertEqual(stdout, 'Signature verification OK\n')
  File "/usr/lib/python2.7/unittest/case.py", line 511, in assertEqual
    assertion_func(first, second, msg=msg)
  File "/usr/lib/python2.7/unittest/case.py", line 504, in _baseAssertEqual
    raise self.failureException(msg)
AssertionError: 'Signature verification failed\n' != 'Signature verification OK\n'

Para Siva (psivaa) on 2013-07-15
description: updated

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1201444

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: saucy
Andy Whitcroft (apw) on 2013-07-15
Changed in linux (Ubuntu):
status: Incomplete → In Progress
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Critical

This is due to a static testing process and not during a run when the kernel actually gets used. Hence, marking the bug confirmed.

Changed in linux (Ubuntu):
status: In Progress → Confirmed
Andy Whitcroft (apw) on 2013-07-15
affects: linux (Ubuntu) → linux-signed (Ubuntu)
Changed in linux-signed (Ubuntu):
status: Confirmed → In Progress
status: In Progress → Fix Committed
Andy Whitcroft (apw) on 2013-07-15
Changed in linux-signed (Ubuntu Raring):
importance: Undecided → Medium
status: New → Triaged
status: Triaged → Fix Committed
summary: Secure boot signature verification of linux kernel is failing with
- today's images against
+ today's images
summary: + linux and linux-signed may becomes skewed due to loose dependancy (was
Secure boot signature verification of linux kernel is failing with
- today's images
+ today's images)
Changed in linux-signed-lts-raring (Ubuntu Raring):
status: New → Invalid
Changed in linux-signed-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-signed (Ubuntu Precise):
status: New → Invalid
Changed in linux-signed-lts-raring (Ubuntu Precise):
importance: Undecided → Medium
Andy Whitcroft (apw) on 2013-07-15
Changed in linux-signed-lts-raring (Ubuntu Precise):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 3.10.0-3.12

---------------
linux-signed (3.10.0-3.12) saucy; urgency=low

  * Fix the version number constraint between linux and linux-signed to be
    '=' to ensure we cannot migrate linux without linux-signed being in
    lock step. (LP: #1201444)
  * Version 3.10.0-3.12
 -- Andy Whitcroft <email address hidden> Mon, 15 Jul 2013 17:31:09 +0100

Changed in linux-signed (Ubuntu Saucy):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 3.8.0-29.42

---------------
linux-signed (3.8.0-29.42) raring; urgency=low

  * Version 3.8.0-29.42

linux-signed (3.8.0-28.41) raring; urgency=low

  * Version 3.8.0-28.41

  [ Andy Whitcroft ]

  * Fix the version number constraint between linux and linux-signed to be
    '=' to ensure we cannot migrate linux without linux-signed being in
    lock step. (LP: #1201444)
 -- Brad Figg <email address hidden> Tue, 13 Aug 2013 12:33:59 -0700

Changed in linux-signed (Ubuntu Raring):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-lts-raring - 3.8.0-29.42~precise1

---------------
linux-signed-lts-raring (3.8.0-29.42~precise1) precise; urgency=low

  * Master Version 3.8.0-29.42
 -- Brad Figg <email address hidden> Wed, 14 Aug 2013 08:47:25 -0700

Changed in linux-signed-lts-raring (Ubuntu Precise):
status: Fix Committed → Fix Released
Andy Whitcroft (apw) on 2013-10-23
Changed in linux-signed (Ubuntu Quantal):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → Fix Committed
Changed in linux-signed-lts-raring (Ubuntu Quantal):
status: New → Invalid
Andy Whitcroft (apw) on 2013-10-23
Changed in linux-signed-lts-raring (Ubuntu Precise):
status: Fix Released → Fix Committed
Changed in linux-signed-lts-quantal (Ubuntu):
status: New → Invalid
Changed in linux-signed-lts-quantal (Ubuntu Precise):
status: New → Fix Committed
Changed in linux-signed-lts-quantal (Ubuntu Quantal):
status: New → Invalid
Changed in linux-signed-lts-quantal (Ubuntu Raring):
status: New → Invalid
Changed in linux-signed-lts-quantal (Ubuntu Saucy):
status: New → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-lts-raring - 3.8.0-33.48~precise1

---------------
linux-signed-lts-raring (3.8.0-33.48~precise1) precise; urgency=low

  * Master Version 3.8.0-33.48

  [ Andy Whitcroft ]

  * Fix the version number constraint between linux and linux-signed to be
    '=' to ensure we cannot migrate linux without linux-signed being in
    lock step. (LP: #1201444)
 -- Steve Conklin <email address hidden> Thu, 24 Oct 2013 11:31:14 -0500

Changed in linux-signed-lts-raring (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-lts-quantal - 3.5.0-43.66~precise1

---------------
linux-signed-lts-quantal (3.5.0-43.66~precise1) precise; urgency=low

  * Master Version 3.5.0-43.66

  [ Andy Whitcroft ]

  * Fix the version number constraint between linux and linux-signed to be
    '=' to ensure we cannot migrate linux without linux-signed being in
    lock step. (LP: #1201444)
 -- Steve Conklin <email address hidden> Thu, 24 Oct 2013 09:58:39 -0500

Changed in linux-signed-lts-quantal (Ubuntu Precise):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 3.5.0-44.67

---------------
linux-signed (3.5.0-44.67) quantal; urgency=low

  * Version 3.5.0-44.67

  [ Andy Whitcroft ]

  * Fix the version number constraint between linux and linux-signed to be
    '=' to ensure we cannot migrate linux without linux-signed being in
    lock step. (LP: #1201444)
 -- Brad Figg <email address hidden> Tue, 12 Nov 2013 11:15:22 -0800

Changed in linux-signed (Ubuntu Quantal):
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in linux-signed-lts-saucy (Ubuntu Quantal):
status: New → Won't Fix
Rolf Leggewie (r0lf) wrote :

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

Changed in linux-signed-lts-saucy (Ubuntu Raring):
status: New → Won't Fix
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in linux-signed-lts-saucy (Ubuntu Saucy):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers