[FFE] Update mokutil to fb6250f2
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | mokutil (Ubuntu) |
Undecided
|
Unassigned | ||
| | Trusty |
Undecided
|
Unassigned | ||
| | Xenial |
Undecided
|
Unassigned | ||
| | Bionic |
Undecided
|
Unassigned | ||
Bug Description
[Impact]
Potentially any Ubuntu users on UEFI systems; as mokutil is used to control from the userland the behavior of Secure Boot via shim.
New features have been introduced in mokutil that we'll want to make use of in supported releases along with the new shim updates:
- Better control of timeout for the MokManager prompts
- Exporting PK, KEK, DB, MOK keys to be used to streamline upgrades and avoid failing upgrades when custom-signed kernels are in use.
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2.
Changes since cca7219 (current git snapshot in cosmic):
fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning
| summary: |
- Update mokutil to fb6250f2 + [FFE] Update mokutil to fb6250f2 |
| description: | updated |
THe principal feature we need here is --export; which will allow us to export keys from the firmware and compare kernel signatures to figure out whether kernels are signed with trusted keys, which will improve the experience on upgrades from previous releases. This is especially relevant in the event someone installs a package from the kernel PPA and re-signs it (or imports the certificate) to keep Secure Boot validation enabled.
| Steve Langasek (vorlon) wrote : | #3 |
FFe approved.
Test case not needed for an FFe, ignoring and have not reviewed.
| Changed in mokutil (Ubuntu): | |
| status: | New → Triaged |
| Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package mokutil - 0.3.0+153871043
---------------
mokutil (0.3.0+
* debian/
platforms where int != unsigned int.
-- Steve Langasek <email address hidden> Wed, 10 Oct 2018 22:41:15 -0700
| Changed in mokutil (Ubuntu): | |
| status: | Triaged → Fix Released |
Hello Mathieu, or anyone else affected,
Accepted mokutil into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in mokutil (Ubuntu Bionic): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-bionic |
Verification-done for mokutil 0.3.0+153871043
I have verified that timeout, export, and reset / toggle-validation features in mokutil all work, as a verification for the new features and smoketesting for the existing features already in use.
When using timeout, export, reset and toggle-validation, mokutil correctly writes the variables in the firmware that cause the system to boot next into MokManager to process the requests.
ubuntu@
mokutil:
Installed: 0.3.0+153871043
Candidate: 0.3.0+153871043
Version table:
*** 0.3.0+153871043
-1 http://
100 /var/lib/
0.3.0-0ubuntu5 500
500 http://
ubuntu@
ubuntu@
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
Signature Algorithm: sha256WithRSAEn
Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = <email address hidden>
Validity
Not Before: Jun 20 21:48:46 2018 GMT
Not After : Jun 17 21:48:46 2028 GMT
Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = <email address hidden>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
[...]
| tags: |
added: verification-done-bionic removed: verification-needed verification-needed-bionic |
| Robie Basak (racb) wrote : | #7 |
> All Ubuntu users on UEFI systems
All Ubuntu users on UEIF systems...what?
Since I don't understand what bug is being fixed here, I'll move on. I guess other SRU team members must understand the background already, so I guess they can manage the release if they're satisfied, or if you want to update the bug description so that others can understand it, I'm happy to look again.
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package mokutil - 0.3.0+153871043
---------------
mokutil (0.3.0+
* Backport mokutil 0.3.0+153871043
(LP: #1797011)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Oct 2018 14:55:12 -0400
| Changed in mokutil (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for mokutil has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Hello Mathieu, or anyone else affected,
Accepted mokutil into xenial-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| Changed in mokutil (Ubuntu Xenial): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed verification-needed-xenial |
| Changed in mokutil (Ubuntu Trusty): | |
| status: | New → Fix Committed |
| tags: | added: verification-needed-trusty |
| Brian Murray (brian-murray) wrote : | #11 |
Hello Mathieu, or anyone else affected,
Accepted mokutil into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.
| tags: | added: id-5bbd25580c30e754dd2d61ed |
Verification-done for xenial: mokutil 0.3.0+153871043
Verification-done for trusty: mokutil 0.3.0+153871043
Verified that 'mokutil --reset', 'mokutil --export --db', 'mokutil --export --mok' as well as setting a timeout via 'mokutil --timeout' are all working as expected.
| tags: |
added: verification-done-trusty verification-done-xenial removed: id-5bbd25580c30e754dd2d61ed verification-needed verification-needed-trusty verification-needed-xenial |
| Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package mokutil - 0.3.0+153871043
---------------
mokutil (0.3.0+
* Backport mokutil 0.3.0+153871043
(LP: #1797011)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Oct 2018 14:55:12 -0400
| Changed in mokutil (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package mokutil - 0.3.0+153871043
---------------
mokutil (0.3.0+
* Backport mokutil 0.3.0+153871043
(LP: #1797011)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Oct 2018 14:55:12 -0400
| Changed in mokutil (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
| tags: | added: id-5bbd25580c30e754dd2d61ed |
Package builds and installs fine (see attached build log):
╭─ mtrudel@demeter …/cosmic
╰─ sudo dpkg -i mokutil_
[sudo] password for mtrudel:
(Reading database ... 148467 files and directories currently installed.)
Preparing to unpack mokutil_
Unpacking mokutil (0.3.0+
Setting up mokutil (0.3.0+
Processing triggers for man-db (2.8.4-2) ...