Ubuntu
linux package

Regression on enabling the system for secureboot

Bug #1161566 reported by Dave Morley
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned
Raring
Fix Released
High
Unassigned

Bug Description

Issue:
Post install the system is unable to boot with secureboot enabled. I have disabled secureboot to access the machine for now. Please remind me to enable it again before I test for fixes :)

Steps:
1. Have a laptop with secure boot enabled
2. Install raring 64bit from 28/03/2013 iso
3. Complete the install
4. See "Ubuntu has been blocked by the current security policy"

Expected:
Install complete, system boot into Ubuntu.

I have previous installed with secure boot enabled with no issues. The Last time was on Friday the 8th. So the breakage has happened somewhere between then and now.

ProblemType: Bug
DistroRelease: Ubuntu 13.04
Package: linux-image-3.8.0-15-generic 3.8.0-15.25 [modified: boot/vmlinuz-3.8.0-15-generic]
ProcVersionSignature: Ubuntu 3.8.0-15.25-generic 3.8.4
Uname: Linux 3.8.0-15-generic x86_64
ApportVersion: 2.9.2-0ubuntu5
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: davmor2 2066 F.... pulseaudio
Date: Thu Mar 28 19:14:07 2013
HibernationDevice: RESUME=UUID=62804170-83e5-4cc9-9a1f-98ddc77cd5b4
InstallationDate: Installed on 2013-03-28 (0 days ago)
InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Alpha amd64 (20130328)
MachineType: LENOVO 2099
MarkForUpload: True
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.8.0-15-generic.efi.signed root=UUID=62a832f0-6f28-4695-b857-03f5be238695 ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-3.8.0-15-generic N/A
 linux-backports-modules-3.8.0-15-generic N/A
 linux-firmware 1.104
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 08/23/2012
dmi.bios.vendor: LENOVO
dmi.bios.version: 5DCN89WW(V8.00)
dmi.board.asset.tag: No Asset Tag
dmi.board.name: INVALID
dmi.board.vendor: LENOVO
dmi.board.version: 31900003WIN8 STD MLT
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo IdeaPad Y580
dmi.modalias: dmi:bvnLENOVO:bvr5DCN89WW(V8.00):bd08/23/2012:svnLENOVO:pn2099:pvrLenovoIdeaPadY580:rvnLENOVO:rnINVALID:rvr31900003WIN8STDMLT:cvnLENOVO:ct10:cvrLenovoIdeaPadY580:
dmi.product.name: 2099
dmi.product.version: Lenovo IdeaPad Y580
dmi.sys.vendor: LENOVO

Revision history for this message
Dave Morley (davmor2) wrote :
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-key
Revision history for this message
Brad Figg (brad-figg) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

This may have been introduced by upstream 3.8.3 or 3.8.4 stable. Can you test the following 3.8 stable kernels:

v3,8.2: http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.8.2-raring/
v3,8.3: http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.8.3-raring/
v3,8.4: http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.8.4-raring/

You don't have to test every kernel, just up until the kernel that first has this bug.

One thing to note, you will need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

tags: added: performing-bisect
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

BTW, don't forget to re-enable secure boot before testing the kernels in comment #3 ;-)

Joseph Salisbury (jsalisbury)
tags: added: regression-update
Revision history for this message
Dave Morley (davmor2) wrote :

Joseph.

3.8.3 builds a new efi, 3.8.2 builds a new efi, 3.8.4 doesn't. however on reboot the minute I enable secure boot non of them boot. I'm wondering if I need to enable the secure boot for the kernel to be able to utilise the key in the UEFI. I don't know how it all works but then I can't boot the machine.

If you let me know a way around it I'm happy to try. I'm assuming it will require a live cd and a chroot of some sort.

Revision history for this message
Dave Morley (davmor2) wrote :

Todays iso contains Linux 3.8.0-16-generic this seems to enable the Secureboot feature again.

Revision history for this message
Tim Gardner (timg-tpi) wrote :

Fixed according to comment #6

Changed in linux (Ubuntu Raring):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.