[FFE] Update mokutil to fb6250f2

Bug #1797011 reported by Mathieu Trudel-Lapierre on 2018-10-10
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mokutil (Ubuntu)
Undecided
Unassigned
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]
Potentially any Ubuntu users on UEFI systems; as mokutil is used to control from the userland the behavior of Secure Boot via shim.

New features have been introduced in mokutil that we'll want to make use of in supported releases along with the new shim updates:

 - Better control of timeout for the MokManager prompts
 - Exporting PK, KEK, DB, MOK keys to be used to streamline upgrades and avoid failing upgrades when custom-signed kernels are in use.

[Test case]

== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.

== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.

== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.

[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.

---

Update mokutil to a git snapshot of fb6250f2.

Changes since cca7219 (current git snapshot in cosmic):

fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning

summary: - Update mokutil to fb6250f2
+ [FFE] Update mokutil to fb6250f2
description: updated

Package builds and installs fine (see attached build log):

╭─ mtrudel@demeter   …/cosmic 
╰─ sudo dpkg -i mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64.deb
[sudo] password for mtrudel:
(Reading database ... 148467 files and directories currently installed.)
Preparing to unpack mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64.deb ...
Unpacking mokutil (0.3.0+1538710437.fb6250f-0ubuntu1) over (0.3.0+1531796165.cca7219-0ubuntu1) ...
Setting up mokutil (0.3.0+1538710437.fb6250f-0ubuntu1) ...
Processing triggers for man-db (2.8.4-2) ...

THe principal feature we need here is --export; which will allow us to export keys from the firmware and compare kernel signatures to figure out whether kernels are signed with trusted keys, which will improve the experience on upgrades from previous releases. This is especially relevant in the event someone installs a package from the kernel PPA and re-signs it (or imports the certificate) to keep Secure Boot validation enabled.

Steve Langasek (vorlon) wrote :

FFe approved.

Test case not needed for an FFe, ignoring and have not reviewed.

Changed in mokutil (Ubuntu):
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f-0ubuntu2

---------------
mokutil (0.3.0+1538710437.fb6250f-0ubuntu2) cosmic; urgency=medium

  * debian/patches/int-signedness.patch: Fix compile failure on
    platforms where int != unsigned int.

 -- Steve Langasek <email address hidden> Wed, 10 Oct 2018 22:41:15 -0700

Changed in mokutil (Ubuntu):
status: Triaged → Fix Released

Hello Mathieu, or anyone else affected,

Accepted mokutil into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mokutil (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic

Verification-done for mokutil 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 on bionic:

I have verified that timeout, export, and reset / toggle-validation features in mokutil all work, as a verification for the new features and smoketesting for the existing features already in use.

When using timeout, export, reset and toggle-validation, mokutil correctly writes the variables in the firmware that cause the system to boot next into MokManager to process the requests.

ubuntu@lucky-moth:~$ apt-cache policy mokutil
mokutil:
  Installed: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1
  Candidate: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1
  Version table:
 *** 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 501
         -1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.3.0-0ubuntu5 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

ubuntu@lucky-moth:~$ sudo mokutil --export --kek
ubuntu@lucky-moth:~$ openssl x509 -inform DER -in KEK-0001.der -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            94:cb:af:49:cd:56:a7:d8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = <email address hidden>
        Validity
            Not Before: Jun 20 21:48:46 2018 GMT
            Not After : Jun 17 21:48:46 2028 GMT
        Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = <email address hidden>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
[...]

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Robie Basak (racb) wrote :

> All Ubuntu users on UEFI systems

All Ubuntu users on UEIF systems...what?

Since I don't understand what bug is being fixed here, I'll move on. I guess other SRU team members must understand the background already, so I guess they can manage the release if they're satisfied, or if you want to update the bug description so that others can understand it, I'm happy to look again.

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1

---------------
mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1) bionic; urgency=medium

  * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 18.04.
    (LP: #1797011)

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Oct 2018 14:55:12 -0400

Changed in mokutil (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for mokutil has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Hello Mathieu, or anyone else affected,

Accepted mokutil into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mokutil (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Changed in mokutil (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted mokutil into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0+1538710437.fb6250f-0ubuntu2~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: id-5bbd25580c30e754dd2d61ed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers