mokutil ignores timeout parameter

Bug #1869187 reported by Aleksander Miera
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
mokutil (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Eoan
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned
shim-signed (Ubuntu)
High
Unassigned
Bionic
High
Matthieu Clemenceau
Eoan
High
Unassigned
Focal
High
Unassigned
Groovy
High
Unassigned

Bug Description

This section is for Bionic SRU purpose

[Impact]
Because mokutil ignores the timeout parameter in /usr/sbin/update-secureboot-policy
it becomes impossible to sign dkms-built modules with secure boot enable

[Test Case]
With a bionic with secureboot enabled (tested in a VM)
Make sure Secure Boot is enable (should return : SecureBoot enabled)
# mokutil --sb-state

Then install a dkms driver
# sudo apt install fwts-efi-runtime-dkms
This should prompt mok manager menu to setup Secure Boot password
The key details will be under
# mokutil --list-new
# reboot

Without the patch nothing happen upon reboot. System boots fully
and the driver isn't installed

With the solution installed, a menu will pop up on reboot to enroll the key
Once the key is enrolled it will show up under
# mokutil --list-enrolled

[Regression Potential]
This change is fairly minimal and has been shipping with Focal.
Possible regression could involve inability to sign other drivers.

[Other Info]
It appears the issue describe here happens in bionic-proposed rather than bionic-updates. This is resolved with shim-signed 1.37~18.04.6

End SRU
------

Version info:
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
Done upgrade and dist-upgrade on March 26th, just before reporting this.
mokutil:
  Installed: 0.3.0+1538710437.fb6250f-1
dkms:
  Installed: 2.8.1-5ubuntu1
shim-signed:
  Installed: 1.41+15+1552672080.a4a1fbe-0ubuntu1
Dell precision M3800, secure boot on (obviously)

The backstory of it, is that in development version of 20.04 it became impossible to sign dkms-built modules with secure-boot enabled. The ncurses-based interfaces opens normally and prompts for the password twice (as usual), but after reboot the key-enrollment menu does not appear. After comparing all the packages involved into this process with the ones from 19.04, I managed to pinpoint the culprit, namely:
/usr/sbin/update-secureboot-policy, lines 111 and 120 call mokutil with timeout parameter.

Removing that argument like this:
111c111
< printf '%s\n%s\n' "$key" "$again" | mokutil --enable-validation >/dev/null || true
---
> printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --enable-validation >/dev/null || true
120c120
< printf '%s\n%s\n' "$key" "$again" | mokutil --import "$SB_KEY" >/dev/null || true
---
> printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true

fixes the problem, yet to me it does not eliminate its root cause.
Picking up those trails, I decided to fiddle with mokutil itself. In my case, adding any --timeout param (not only -1, but any integer really) triggers it to display help/usage message, nothing more. For that reason I am quite convinced that my actions related to update-secureboot-policy script are merely a workaround, while mokutil is the actual source of the problem.

I am fully aware, that: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422 is a design decision, and I know why it was introduced. Yet, in case of my machine (several other ones to be checked soon) it breaks the signing process completely.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: mokutil 0.3.0+1538710437.fb6250f-1
ProcVersionSignature: Ubuntu 5.4.0-18.22-generic 5.4.24
Uname: Linux 5.4.0-18-generic x86_64
ApportVersion: 2.20.11-0ubuntu21
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Thu Mar 26 12:08:06 2020
InstallationDate: Installed on 2020-03-16 (9 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Alpha amd64 (20200316)
SourcePackage: mokutil
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Revision history for this message
Aleksander Miera (amiera) wrote :
Revision history for this message
Aleksander Miera (amiera) wrote :

Ok, I have analyzed mokutil's src code and from what I understood, timeout has to be a single parameter. Of course, it can be changed there, but calling it several times in a row should do not harm either.

Splitting its invocation in two seems to fix the problem; the bug can be reassigned to shim-signed if needed, as the the patch actually modifies that package.

information type: Public → Public Security
information type: Public Security → Public
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "shim-signed.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: rls-ff-incoming
Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu Focal):
status: New → Triaged
importance: Undecided → High
tags: removed: rls-ff-incoming
Revision history for this message
Aleksander Miera (amiera) wrote :

Sorry, mis-clicked sth while browsing, could you please revert back the status?

Changed in shim-signed (Ubuntu Focal):
status: Triaged → Invalid
Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu Focal):
status: Invalid → Triaged
Revision history for this message
Aleksander Miera (amiera) wrote :

Thanks.

BTW, is there any help we can provide ensure the fix makes its way to the official 20.04 LTS release (I guess it might be tough I guess, due to release candidate being out today, am I right?), or at least one of the early updates?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.40.3

---------------
shim-signed (1.40.3) focal; urgency=medium

  * Depend on the correct version of grub-signed (LP: #1871895)

 -- Julian Andres Klode <email address hidden> Thu, 09 Apr 2020 20:48:31 +0200

Changed in shim-signed (Ubuntu Focal):
status: Triaged → Fix Released
tags: added: id-5e86040cabc56e279d442ddb
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mokutil (Ubuntu Focal):
status: New → Confirmed
Changed in mokutil (Ubuntu):
status: New → Confirmed
Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu Bionic):
importance: Undecided → High
Changed in shim-signed (Ubuntu Eoan):
importance: Undecided → High
Changed in mokutil (Ubuntu Eoan):
status: New → Won't Fix
Changed in shim-signed (Ubuntu Eoan):
status: New → Won't Fix
Changed in shim-signed (Ubuntu Bionic):
assignee: nobody → Matthieu Clemenceau (mclemenceau)
description: updated
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Aleksander, or anyone else affected,

Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.37~18.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Revision history for this message
Matthieu Clemenceau (mclemenceau) wrote :

Confirmed shim-signed 1.37~18.04.6+15+1533136590.3beb971-0ubuntu1 from bionic-proposed fixes the problem described on this ticket

installed bionic
# apt update
# apt upgrade
edit /etc/apt/source.list to include bionic-proposed
# apt update
# apt install shim-signed
# dpkg -l | grep shim-signed
ii shim-signed 1.37~18.04.6+15+1533136590.3beb971-0ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)

Then install dkms firmware
# sudo apt install fwts-efi-runtime-dkms
Got prompt with a menu to set the MOK password

# reboot
Got prompt to enroll the MOK with previous password

Keys shows enrolled
# mokutil --list-enrolled

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.37~18.04.6

---------------
shim-signed (1.37~18.04.6) bionic; urgency=medium

  * Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187)
    thanks to Aleksander Miera for the patch.

shim-signed (1.37~18.04.5) bionic; urgency=medium

  * Fix versioned dependency on mokutil so that it matches the version in
    bionic-updates. LP: #1862632.

shim-signed (1.37~18.04.4) bionic; urgency=medium

  * Pass --timeout -1 to mokutil so that users don't end up with broken
    systems by missing MokManager on reboot after install. LP: #1856422.
  * Add a versioned dependency on the mokutil that introduces --timeout.

 -- Matthieu Clemenceau <email address hidden> Fri, 10 Jul 2020 14:27:41 -0500

Changed in shim-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Julian Andres Klode (juliank) wrote :

This bug is _not_ fixed in groovy, only in stable releases

Changed in shim-signed (Ubuntu Groovy):
status: Fix Released → Triaged
Changed in shim-signed (Ubuntu Groovy):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.45

---------------
shim-signed (1.45) groovy; urgency=medium

  * Merge back changes from focal that got lost in the shim revert, as
    groovy carried on from the reverted 1.41 upload and did not merge
    back 1.40.{1,2,3}:
    - Depend on the correct version of grub-signed (LP: #1871895)
    - Install grub to multiple ESPs (LP: #1871821)
    - Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187),
      thanks to Aleksander Miera for the patch.

 -- Julian Andres Klode <email address hidden> Wed, 21 Oct 2020 11:02:12 +0200

Changed in shim-signed (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release

Changed in mokutil (Ubuntu Groovy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers