2017-03-17 23:59:51 |
Steve Langasek |
bug |
|
|
added bug |
2017-06-03 07:11:34 |
Steve Langasek |
shim-signed (Ubuntu): importance |
Undecided |
Medium |
|
2017-06-23 19:06:15 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): status |
New |
Triaged |
|
2017-06-23 19:06:17 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2017-06-23 19:55:20 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
Triaged |
Fix Released |
|
2017-07-12 19:49:40 |
Mathieu Trudel-Lapierre |
description |
If I have disabled secureboot on my system via update-secureboot-policy due to the presence of dkms modules, but subsequently remove these dkms modules because I decide I don't like not having secureboot, I cannot re-enable SB by running 'update-secureboot-policy --enable'.
I think either the check for /var/lib/dkms should only apply when update-secureboot-policy is called without arguments, or this check should be encoded in the shim-signed postinst so that manual calls from the commandline DWIM. |
[Impact]
Re-enabling Secure Boot after DKMS packages are no longer needed is useful to benefit from the extra security afforded by having all bits of the bootloader and kernel signed by a proper key.
[Test Case]
(on a system with SHIM validation disabled)
1- Remove all dkms modules
2- Attempt to run 'sudo update-secureboot-policy --enable'
3- Observe the behavior.
With the fixed update-secureboot-policy script, you should be prompted to re-enable shim validation; which is otherwise skipped with no output with previous versions of the script in shim-signed.
[Regression Potential]
Possible regression from this update would be changes to expected behavior of the update-secureboot-policy script; such as being unable to correctly recognize the current state of Secure Boot and shim validation, or incorrectly returning before prompting for the password required to toggle shim validation when the shim validation state make sense to be changed (ie. prompting to enable when it is disabled only, prompting to disable only if it's currently enabled). Any change in proper prompting in a debconf non-interactive context could also be a regression from this update.
---
If I have disabled secureboot on my system via update-secureboot-policy due to the presence of dkms modules, but subsequently remove these dkms modules because I decide I don't like not having secureboot, I cannot re-enable SB by running 'update-secureboot-policy --enable'.
I think either the check for /var/lib/dkms should only apply when update-secureboot-policy is called without arguments, or this check should be encoded in the shim-signed postinst so that manual calls from the commandline DWIM. |
|
2017-07-13 20:53:49 |
Steve Langasek |
shim-signed (Ubuntu Zesty): status |
New |
Fix Committed |
|
2017-07-13 20:53:50 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-07-13 20:53:52 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2017-07-13 20:53:56 |
Steve Langasek |
tags |
|
verification-needed verification-needed-zesty |
|
2017-07-13 21:02:40 |
Steve Langasek |
shim-signed (Ubuntu Yakkety): status |
New |
Fix Committed |
|
2017-07-13 21:02:46 |
Steve Langasek |
tags |
verification-needed verification-needed-zesty |
verification-needed verification-needed-yakkety verification-needed-zesty |
|
2017-07-13 21:06:34 |
Steve Langasek |
shim-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2017-07-13 21:06:38 |
Steve Langasek |
tags |
verification-needed verification-needed-yakkety verification-needed-zesty |
verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
|
2017-07-17 14:51:35 |
Steve Langasek |
shim-signed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2017-07-17 14:51:38 |
Steve Langasek |
tags |
verification-needed verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
verification-needed verification-needed-trusty verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
|
2017-07-20 19:05:44 |
Mathieu Trudel-Lapierre |
tags |
verification-needed verification-needed-trusty verification-needed-xenial verification-needed-yakkety verification-needed-zesty |
verification-done-xenial verification-needed verification-needed-trusty verification-needed-yakkety verification-needed-zesty |
|
2017-07-24 19:41:29 |
Mathieu Trudel-Lapierre |
tags |
verification-done-xenial verification-needed verification-needed-trusty verification-needed-yakkety verification-needed-zesty |
verification-done-xenial verification-done-zesty verification-needed-trusty |
|
2017-07-28 00:46:31 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2017-07-28 00:46:39 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2017-07-28 00:47:07 |
Launchpad Janitor |
shim-signed (Ubuntu Zesty): status |
Fix Committed |
Fix Released |
|
2017-08-28 15:29:46 |
Launchpad Janitor |
shim-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2017-08-28 15:32:04 |
Mathieu Trudel-Lapierre |
tags |
verification-done-xenial verification-done-zesty verification-needed-trusty |
verification-done-trusty verification-done-xenial verification-done-zesty |
|