2018-10-10 00:41:11 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2018-10-10 00:41:24 |
Mathieu Trudel-Lapierre |
summary |
Update mokutil to fb6250f2 |
[FFE] Update mokutil to fb6250f2 |
|
2018-10-10 00:43:05 |
Mathieu Trudel-Lapierre |
description |
[Impact]
All Ubuntu users on UEFI systems
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2. |
[Impact]
All Ubuntu users on UEFI systems
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2.
Changes since cca7219 (current git snapshot in cosmic):
fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning |
|
2018-10-10 14:33:44 |
Mathieu Trudel-Lapierre |
attachment added |
|
mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64-2018-10-10T00:52:21Z.build https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+attachment/5199516/+files/mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64-2018-10-10T00%3A52%3A21Z.build |
|
2018-10-10 14:36:22 |
Mathieu Trudel-Lapierre |
bug |
|
|
added subscriber Ubuntu Release Team |
2018-10-10 16:32:30 |
Steve Langasek |
mokutil (Ubuntu): status |
New |
Triaged |
|
2018-10-11 09:27:57 |
Launchpad Janitor |
mokutil (Ubuntu): status |
Triaged |
Fix Released |
|
2018-10-23 21:54:42 |
Brian Murray |
mokutil (Ubuntu Bionic): status |
New |
Fix Committed |
|
2018-10-23 21:54:43 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-10-23 21:54:45 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2018-10-23 21:54:48 |
Brian Murray |
tags |
|
verification-needed verification-needed-bionic |
|
2018-10-25 17:25:29 |
Mathieu Trudel-Lapierre |
tags |
verification-needed verification-needed-bionic |
verification-done-bionic |
|
2018-11-01 17:36:30 |
Mathieu Trudel-Lapierre |
description |
[Impact]
All Ubuntu users on UEFI systems
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2.
Changes since cca7219 (current git snapshot in cosmic):
fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning |
[Impact]
Potentially any Ubuntu users on UEFI systems; as mokutil is used to control from the userland the behavior of Secure Boot via shim.
New features have been introduced in mokutil that we'll want to make use of in supported releases along with the new shim updates:
- Better control of timeout for the MokManager prompts
- Exporting PK, KEK, DB, MOK keys to be used to streamline upgrades and avoid failing upgrades when custom-signed kernels are in use.
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2.
Changes since cca7219 (current git snapshot in cosmic):
fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning |
|
2018-11-01 19:16:57 |
Launchpad Janitor |
mokutil (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-11-01 19:17:03 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-11-06 15:58:01 |
Brian Murray |
mokutil (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-11-06 15:58:03 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-11-06 15:58:08 |
Brian Murray |
tags |
verification-done-bionic |
verification-done-bionic verification-needed verification-needed-xenial |
|
2018-11-06 15:59:42 |
Brian Murray |
mokutil (Ubuntu Trusty): status |
New |
Fix Committed |
|
2018-11-06 15:59:46 |
Brian Murray |
tags |
verification-done-bionic verification-needed verification-needed-xenial |
verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
|
2018-11-10 13:34:55 |
Francis Ginther |
tags |
verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
id-5bbd25580c30e754dd2d61ed verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
|
2018-11-20 21:36:32 |
Mathieu Trudel-Lapierre |
tags |
id-5bbd25580c30e754dd2d61ed verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
verification-done-bionic verification-done-trusty verification-done-xenial |
|
2018-11-20 22:47:49 |
Launchpad Janitor |
mokutil (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-11-20 22:48:09 |
Launchpad Janitor |
mokutil (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-11-21 13:35:09 |
Francis Ginther |
tags |
verification-done-bionic verification-done-trusty verification-done-xenial |
id-5bbd25580c30e754dd2d61ed verification-done-bionic verification-done-trusty verification-done-xenial |
|