update-secureboot-policy --enable does not work after dkms modules removed

Bug #1673904 reported by Steve Langasek on 2017-03-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Medium
Mathieu Trudel-Lapierre
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

[Impact]
Re-enabling Secure Boot after DKMS packages are no longer needed is useful to benefit from the extra security afforded by having all bits of the bootloader and kernel signed by a proper key.

[Test Case]
(on a system with SHIM validation disabled)
1- Remove all dkms modules
2- Attempt to run 'sudo update-secureboot-policy --enable'
3- Observe the behavior.

With the fixed update-secureboot-policy script, you should be prompted to re-enable shim validation; which is otherwise skipped with no output with previous versions of the script in shim-signed.

[Regression Potential]
Possible regression from this update would be changes to expected behavior of the update-secureboot-policy script; such as being unable to correctly recognize the current state of Secure Boot and shim validation, or incorrectly returning before prompting for the password required to toggle shim validation when the shim validation state make sense to be changed (ie. prompting to enable when it is disabled only, prompting to disable only if it's currently enabled). Any change in proper prompting in a debconf non-interactive context could also be a regression from this update.

---

If I have disabled secureboot on my system via update-secureboot-policy due to the presence of dkms modules, but subsequently remove these dkms modules because I decide I don't like not having secureboot, I cannot re-enable SB by running 'update-secureboot-policy --enable'.

I think either the check for /var/lib/dkms should only apply when update-secureboot-policy is called without arguments, or this check should be encoded in the shim-signed postinst so that manual calls from the commandline DWIM.

Steve Langasek (vorlon) on 2017-06-03
Changed in shim-signed (Ubuntu):
importance: Undecided → Medium
Changed in shim-signed (Ubuntu):
status: New → Triaged
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.30

---------------
shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

 -- Mathieu Trudel-Lapierre <email address hidden> Fri, 23 Jun 2017 14:37:21 -0400

Changed in shim-signed (Ubuntu):
status: Triaged → Fix Released
description: updated

Hello Steve, or anyone else affected,

Accepted shim-signed into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed verification-needed-zesty
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-yakkety to verification-done-yakkety. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-yakkety. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed-yakkety
Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed-xenial
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

An upload of shim-signed to trusty-proposed has been rejected from the upload queue for the following reason: "needs adjusted versioned dep on grub2-common; drop ref to LP: #1624096 from changelog".

Hello Steve, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This currently doesn't work on trusty, but would work as soon as the updated grub patches for SecureBoot are available in proposed. Not changing state for now -- this is essentially "verification-done" since I can reproduce the correct behavior by making sure moksbstate_disabled has the right value, but broken by the missing grub patches.

Verification-done on xenial, using shim-signed 1.32~16.04.1:

I verified that update-secureboot-policy --enable behaves as expected (can always re-enable Secure Boot, even when no DKMS packages are present).

tags: added: verification-done-xenial
removed: verification-needed-xenial
Steve Langasek (vorlon) wrote :

> but would work as soon as the updated grub patches for SecureBoot are available in proposed.

Which grub patches are missing, and what do you mean by "as soon as they are available in proposed"? grub2 2.02~beta2-9ubuntu1.14 was accepted into trusty-proposed at the same time as this shim.

I'm talking about the backports of SecureBoot patches as in Xenial, Yakkety and Zesty; those are not yet on Trusty (but I'm working on it).

Verification-done on zesty, using shim-signed 1.32~17.04.1:

update-secureboot-policy now works correctly after DKMS packages are removed (even before they are removed, update-secureboot-policy --enable is meant to work at all times when SB is disabled in shim).

tags: added: verification-done-zesty
removed: verification-needed verification-needed-yakkety verification-needed-zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~16.04.1

---------------
shim-signed (1.32~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.32 to 16.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:43:10 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~17.04.1

---------------
shim-signed (1.32~17.04.1) zesty; urgency=medium

  * Backport shim-signed 1.32 to 17.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:10:08 -0400

Changed in shim-signed (Ubuntu Zesty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers