Ubuntu
shim-signed package

attach secureboot state files to shim-signed apport reports

Bug #1680279 reported by Steve Langasek
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Committed
Undecided
Unassigned
Zesty
Fix Released
Undecided
Unassigned

Bug Description

[SRU Justification]
I'm asking the same questions repeatedly of bug submitters about the state of secureboot on their systems, so we should just include these files in the apport hook. Since shim-signed changes in stable releases for policy reasons, this should be SRUed back in as well.

[Test case]
1. Install the shim-signed package from -proposed
2. Run apport-bug shim-signed
3. Confirm that the apport collection succeeds
4. Verify that the report to be sent includes keys for two files under /sys/firmware/efi/efivars and for /proc/sys/kernel/moksbstate_disabled

[Regression potential]
If I done messed up, we could fail to get bug reports about shim that we really need.

Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu):
status: New → Fix Released
Revision history for this message
Andy Whitcroft (apw) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.28~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.28~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verified shim-signed 1.28~16.04.1 in xenial.

MokSBStateRT and SecureBoot are now included in apport reports, but they are being shown as binary data (as a single unprintable character). I think this qualifies as verification-failed.

tags: added: verification-failed-xenial
tags: added: verification-done-xenial
removed: verification-failed-xenial
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

I changed my mind; this is a verification-done: just knowing whether the files are there even if they're not mapping to proper data is already a plus.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.28~16.04.1

---------------
shim-signed (1.28~16.04.1) xenial; urgency=medium

  * Adjust apport hook to include key files that tell us about the system's
    current SB state. LP: #1680279.

 -- Steve Langasek <email address hidden> Wed, 05 Apr 2017 15:14:49 -0700

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Change of SRU verification policy

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted shim-signed into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~17.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-zesty to verification-done-zesty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-zesty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Zesty):
status: New → Fix Committed
tags: added: verification-needed-zesty
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-yakkety to verification-done-yakkety. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-yakkety. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed-yakkety
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package upload rejected

An upload of shim-signed to trusty-proposed has been rejected from the upload queue for the following reason: "needs adjusted versioned dep on grub2-common; drop ref to LP: #1624096 from changelog".

Steve Langasek (vorlon)
Changed in shim-signed (Ubuntu Xenial):
status: Fix Released → Fix Committed
tags: added: verification-needed-xenial
removed: verification-done-xenial
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.32~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification done for trusty: I've used shim-signed 1.32~14.04.2 and verified that the update apport hook is included and working as expected.

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done for xenial; using shim-signed 1.32~16.04.1:

The apport hook now includes the proper values for MokSBStateRT (if present) and SecureBoot variables from /sys/firmware/efi/efivars.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

Verification-done for xenial; using shim-signed 1.32~17.04.1:

The right elements now include a human-readable content (which is what the latest SRU changes) in the apport-generated crash files (specifically, MokSBStateRT values if present, along with SecureBoot state).

tags: added: verification-done-zesty
removed: verification-needed verification-needed-yakkety verification-needed-zesty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~16.04.1

---------------
shim-signed (1.32~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.32 to 16.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:43:10 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Update Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~17.04.1

---------------
shim-signed (1.32~17.04.1) zesty; urgency=medium

  * Backport shim-signed 1.32 to 17.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP#1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:10:08 -0400

Changed in shim-signed (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.32~14.04.2

---------------
shim-signed (1.32~14.04.2) trusty; urgency=medium

  * Backport shim-signed 1.32 to 14.04. (LP: #1700170)

shim-signed (1.32) artful; urgency=medium

  * Handle cleanup of /var/lib/shim-signed on package purge.

shim-signed (1.31) artful; urgency=medium

  * Fix regression in postinst when /var/lib/dkms does not exist.
    (LP #1700195)
  * Sort the list of dkms modules when recording.

shim-signed (1.30) artful; urgency=medium

  * update-secureboot-policy: track the installed DKMS modules so we can skip
    failing unattended upgrades if they hasn't changed (ie. if no new DKMS
    modules have been installed, just honour the user's previous decision to
    not disable shim validation). (LP: #1695578)
  * update-secureboot-policy: allow re-enabling shim validation when no DKMS
    packages are installed. (LP: #1673904)
  * debian/source_shim-signed.py: add the textual representation of SecureBoot
    and MokSBStateRT EFI variables rather than just adding the files directly;
    also, make sure we include the relevant EFI bits from kernel log.
    (LP: #1680279)

shim-signed (1.29) artful; urgency=medium

  * Makefile: Generate BOOT$arch.CSV, for use with fallback.
  * debian/rules: make sure we can do per-arch EFI files.

shim-signed (1.28) zesty; urgency=medium

  * Adjust apport hook to include key files that tell us about the system's
    current SB state. LP: #1680279.

shim-signed (1.27) zesty; urgency=medium

  [ Steve Langasek ]
  * Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
    Microsoft.
  * update-secureboot-policy:
    - detect when we have no debconf prompting and error out instead of ending
      up in an infinite loop. LP: #1673817.
    - refactor to make the code easier to follow.
    - remove a confusing boolean that would always re-prompt on a request to
      --enable, but not on a request to --disable.

  [ Mathieu Trudel-Lapierre ]
  * update-secureboot-policy:
    - some more fixes to properly handle non-interactive mode. (LP: #1673817)

shim-signed (1.23) zesty; urgency=medium

  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

shim-signed (1.22) yakkety; urgency=medium

  * Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
  * Update paths now that the shim binary has been renamed to include the
    target architecture.
  * debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
    since it's being replaced by mm$arch.efi.

shim-signed (1.21.3) vivid; urgency=medium

  * No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.

shim-signed (1.21.2) vivid; urgency=medium

  * Revert to signed shim from 0.8-0ubuntu2.
    - shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.

shim-signed (1.20) yakkety; urgency=medium

  * Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
    (LP: #1581299)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 20:29:28 -0400

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.