Generate per-machine MOK for dkms signing

Bug #1748983 reported by Mathieu Trudel-Lapierre on 2018-02-12
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkms (Ubuntu)
High
Mathieu Trudel-Lapierre
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned
shim-signed (Ubuntu)
High
Mathieu Trudel-Lapierre
Trusty
Undecided
Unassigned
Xenial
Undecided
Unassigned

Bug Description

[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether.

[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so.
4b) If a dkms package was previously installed on the system (so Secure Boot is currently disabled in shim), pick "Change Secure Boot state". Follow the prompts to enter password characters. The option will only show up if Secure Boot validation was found to be disabled.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>".
7) Run 'modprobe <module>' to validate that the module can be loaded explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys.

[Regression potential]
If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load.

---

shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users.

There are dkms changes and shim-signed changes for this. I'm linking both.

Changed in dkms (Ubuntu):
status: New → In Progress
Changed in shim-signed (Ubuntu):
status: New → In Progress
Changed in dkms (Ubuntu):
importance: Undecided → High
Changed in shim-signed (Ubuntu):
importance: Undecided → High
Changed in dkms (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in shim-signed (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)

dkms changes in debdiff format. There didn't seem to be a code branch for dkms specific to Ubuntu.

tags: added: id-594ae44541d5bf17021a5780

I'm uploading things now; let's keep them blocked in proposed just long enough that I have the time for one last test before it reaches everyone.

tags: added: block-proposed

Hello Mathieu, or anyone else affected,

Accepted dkms into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.3-3ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in dkms (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Steve Langasek (vorlon) wrote :

we really ought to fix those scripts to not do the bug tampering for devel ;)

no longer affects: dkms (Ubuntu Bionic)
tags: removed: verification-needed verification-needed-bionic
Steve Langasek (vorlon) wrote :

This has been in -proposed for 4 days now, and there have been multiple bug reports in that time from users who have -proposed enabled - but none against the latest version which has been in -proposed for 24h+. Dropping the block-proposed tag now to let this migrate.

tags: removed: block-proposed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.34.4

---------------
shim-signed (1.34.4) bionic; urgency=medium

  * Handle the case that there are no kernel modules available for a given
    dkms package. This probably indicates there is a problem with the dkms
    module's installation, but that should not cause this package's
    installation to fail. LP: #1765954.

 -- Steve Langasek <email address hidden> Sat, 21 Apr 2018 10:13:41 -0700

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.3-3ubuntu7

---------------
dkms (2.3-3ubuntu7) bionic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: update
    for the new update-secureboot-policy code: have it generate a new MOK if
    there isn't one yet, and use that so sign newly-built kernel modules.
    (LP: #1748983)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 18 Apr 2018 17:23:41 -0400

Changed in dkms (Ubuntu):
status: Fix Committed → Fix Released

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

description: updated
description: updated

Hello Mathieu, or anyone else affected,

Accepted dkms into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in dkms (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Xenial):
status: New → Fix Committed
Changed in dkms (Ubuntu Trusty):
status: New → Fix Committed
tags: added: verification-needed-trusty
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted dkms into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-1.1ubuntu5.14.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in shim-signed (Ubuntu Trusty):
status: New → Fix Committed
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done on xenial:

shim-signed/1.33.1~16.04.4
dkms/2.2.0.3-2ubuntu11.6

I've installed bbswitch on a test UEFI system, rebooted to disable validation in shim; then upgraded to the new packages and could verify that shim validation was re-enabled and a MOK was enrolled in the firmware, as expected.

ubuntu@ubuntu:~$ dpkg -l dkms shim-signed | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=============================================-============-==============================================================
ii dkms 2.2.0.3-2ubuntu11.6 all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo mokutil --sb-state
[sudo] password for ubuntu:
SecureBoot enabled
ubuntu@ubuntu:~$ sudo modprobe bbswitch
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 7.397726] wlp3s0: authenticated
[ 7.398704] wlp3s0: associate with fc:ec:da:3c:dd:85 (try 1/3)
[ 7.402921] wlp3s0: RX AssocResp from fc:ec:da:3c:dd:85 (capab=0x411 status=0 aid=3)
[ 7.422831] wlp3s0: associated
[ 7.422886] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[ 23.013018] random: nonblocking pool is initialized
[ 100.470084] bbswitch: loading out-of-tree module taints kernel.
[ 100.470804] bbswitch: version 0.8
[ 100.470822] bbswitch: Found integrated VGA device 0000:00:02.0: \_SB_.PCI0.VID_
[ 100.470837] bbswitch: No discrete VGA device found

tags: added: verification-done-xenial
removed: verification-needed-xenial

Verification-done on trusty:

dkms/2.2.0.3-1.1ubuntu5.14.04.10
shim-signed/1.33.1~14.04.4

I've installed bbswitch on a test UEFI system, rebooted to disable validation in shim; then upgraded to the new packages and could verify that shim validation was re-enabled and a MOK was enrolled in the firmware, as expected.

ubuntu@ubuntu:~$ dpkg -l dkms shim-signed |cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================-=========================================-============-===============================================================================
ii dkms 2.2.0.3-1.1ubuntu5.14.04.10 all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~14.04.4+13-0ubuntu2 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo modprobe bbswitch
[sudo] password for ubuntu:
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 15.292736] audit: type=1400 audit(1550085342.906:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293018] audit: type=1400 audit(1550085342.906:11): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1019 comm="apparmor_parser"
[ 15.293020] audit: type=1400 audit(1550085342.906:12): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293167] audit: type=1400 audit(1550085342.906:13): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293785] audit: type=1400 audit(1550085342.906:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=1021 comm="apparmor_parser"
[ 15.422442] init: plymouth-upstart-bridge main process ended, respawning
[ 20.034883] random: nonblocking pool is initialized
[ 79.588877] bbswitch: version 0.7
[ 79.588891] bbswitch: Found integrated VGA device 0000:00:02.0: \_SB_.PCI0.VID_
[ 79.588901] bbswitch: No discrete VGA device found

tags: added: verification-done-trusty
removed: verification-needed verification-needed-trusty

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~16.04.4

---------------
shim-signed (1.33.1~16.04.4) xenial; urgency=medium

  * update-secureboot-policy: (LP: #1748983)
    - Backport update-secureboot-policy changes to generate a MOK and guide
      users through re-enabling validation and automatically signing DKMS
      modules.
  * debian/shim-signed.postinst:
    - When triggered, explicitly try to enroll the available MOK.
  * debian/shim-signed.install, openssl.cnf: Install some default configuration
    for creating our self-signed key.
  * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
  * debian/templates: update templates for update-secureboot-policy changes.
  * debian/control: Breaks dkms (<< 2.2.0.3-2ubuntu11.5~) since we're changing
    the behavior of update-secureboot-policy.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 10:22:31 -0500

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.33.1~14.04.4

---------------
shim-signed (1.33.1~14.04.4) trusty; urgency=medium

  * update-secureboot-policy: (LP: #1748983)
    - Backport update-secureboot-policy changes to generate a MOK and guide
      users through re-enabling validation and automatically signing DKMS
      modules.
  * debian/shim-signed.postinst:
    - When triggered, explicitly try to enroll the available MOK.
  * debian/shim-signed.install, openssl.cnf: Install some default configuration
    for creating our self-signed key.
  * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
  * debian/templates: update templates for update-secureboot-policy changes.
  * debian/control: Breaks dkms (<< 2.2.0.3-1.1ubuntu5.14.04.10~) since we're
    changing the behavior of update-secureboot-policy.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 11:02:00 -0500

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.10

---------------
dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
    - Move to signing just after module build to ensure it correctly applies
      at kernel update times. (LP: #1772950)
    - Generate a new MOK if there isn't one yet, and use that so sign
      newly-built kernel modules. (LP: #1748983)
  * debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both
    are updated in lock-step since the changes above require a new version of
    update-secureboot-policy to correctly generate the new MOK and enroll it
    in firmware.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 11:05:49 -0500

Changed in dkms (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu11.6

---------------
dkms (2.2.0.3-2ubuntu11.6) xenial; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
    - Move to signing just after module build to ensure it correctly applies
      at kernel update times. (LP: #1772950)
    - Generate a new MOK if there isn't one yet, and use that so sign
      newly-built kernel modules. (LP: #1748983)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 10:21:09 -0500

Changed in dkms (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments