2018-02-12 20:20:49 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2018-02-12 20:20:57 |
Mathieu Trudel-Lapierre |
bug task added |
|
dkms (Ubuntu) |
|
2018-02-12 20:21:05 |
Mathieu Trudel-Lapierre |
dkms (Ubuntu): status |
New |
In Progress |
|
2018-02-12 20:21:08 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): status |
New |
In Progress |
|
2018-02-12 20:21:10 |
Mathieu Trudel-Lapierre |
dkms (Ubuntu): importance |
Undecided |
High |
|
2018-02-12 20:21:11 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): importance |
Undecided |
High |
|
2018-02-12 20:21:13 |
Mathieu Trudel-Lapierre |
dkms (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2018-02-12 20:21:14 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2018-02-12 20:24:30 |
Mathieu Trudel-Lapierre |
attachment added |
|
dkms.debdiff https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+attachment/5053788/+files/dkms.debdiff |
|
2018-02-15 19:51:01 |
Francis Ginther |
tags |
|
id-594ae44541d5bf17021a5780 |
|
2018-04-19 13:44:31 |
Mathieu Trudel-Lapierre |
tags |
id-594ae44541d5bf17021a5780 |
block-proposed id-594ae44541d5bf17021a5780 |
|
2018-04-19 18:52:23 |
Steve Langasek |
dkms (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2018-04-19 18:52:26 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-04-19 18:52:27 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2018-04-19 18:52:31 |
Steve Langasek |
tags |
block-proposed id-594ae44541d5bf17021a5780 |
block-proposed id-594ae44541d5bf17021a5780 verification-needed verification-needed-bionic |
|
2018-04-19 18:57:46 |
Steve Langasek |
bug task deleted |
dkms (Ubuntu Bionic) |
|
|
2018-04-19 18:57:56 |
Steve Langasek |
tags |
block-proposed id-594ae44541d5bf17021a5780 verification-needed verification-needed-bionic |
block-proposed id-594ae44541d5bf17021a5780 |
|
2018-04-19 18:58:15 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-04-19 18:58:15 |
Steve Langasek |
removed subscriber SRU Verification |
|
|
|
2018-04-23 07:01:24 |
Steve Langasek |
tags |
block-proposed id-594ae44541d5bf17021a5780 |
id-594ae44541d5bf17021a5780 |
|
2018-04-23 07:17:04 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
In Progress |
Fix Released |
|
2018-04-23 07:17:08 |
Launchpad Janitor |
dkms (Ubuntu): status |
Fix Committed |
Fix Released |
|
2019-02-05 20:33:46 |
Mathieu Trudel-Lapierre |
description |
shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. |
[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether.
[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so.
4b) If the system was previously with Secure Boot disabled in shim (ie. a dkms package was previously installed), pick "Change Secure Boot state". Follow the prompts to enter password characters.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>".
7) Run 'modprobe <module>' to validate that the module can be loaded explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys.
[Regression potential]
If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load.
---
shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. |
|
2019-02-05 20:41:02 |
Mathieu Trudel-Lapierre |
description |
[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether.
[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so.
4b) If the system was previously with Secure Boot disabled in shim (ie. a dkms package was previously installed), pick "Change Secure Boot state". Follow the prompts to enter password characters.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>".
7) Run 'modprobe <module>' to validate that the module can be loaded explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys.
[Regression potential]
If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load.
---
shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. |
[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether.
[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so.
4b) If a dkms package was previously installed on the system (so Secure Boot is currently disabled in shim), pick "Change Secure Boot state". Follow the prompts to enter password characters. The option will only show up if Secure Boot validation was found to be disabled.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>".
7) Run 'modprobe <module>' to validate that the module can be loaded explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys.
[Regression potential]
If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load.
---
shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. |
|
2019-02-05 20:41:39 |
Brian Murray |
dkms (Ubuntu Xenial): status |
New |
Fix Committed |
|
2019-02-05 20:41:41 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2019-02-05 20:41:43 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2019-02-05 20:41:47 |
Brian Murray |
tags |
id-594ae44541d5bf17021a5780 |
id-594ae44541d5bf17021a5780 verification-needed verification-needed-xenial |
|
2019-02-05 20:48:43 |
Brian Murray |
shim-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2019-02-05 20:53:10 |
Brian Murray |
dkms (Ubuntu Trusty): status |
New |
Fix Committed |
|
2019-02-05 20:53:14 |
Brian Murray |
tags |
id-594ae44541d5bf17021a5780 verification-needed verification-needed-xenial |
id-594ae44541d5bf17021a5780 verification-needed verification-needed-trusty verification-needed-xenial |
|
2019-02-05 20:55:08 |
Brian Murray |
shim-signed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2019-02-13 16:35:49 |
Mathieu Trudel-Lapierre |
tags |
id-594ae44541d5bf17021a5780 verification-needed verification-needed-trusty verification-needed-xenial |
id-594ae44541d5bf17021a5780 verification-done-xenial verification-needed verification-needed-trusty |
|
2019-02-13 19:19:32 |
Mathieu Trudel-Lapierre |
tags |
id-594ae44541d5bf17021a5780 verification-done-xenial verification-needed verification-needed-trusty |
id-594ae44541d5bf17021a5780 verification-done-trusty verification-done-xenial |
|
2019-02-14 16:33:58 |
Ćukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2019-02-14 16:44:00 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2019-02-14 16:49:33 |
Launchpad Janitor |
shim-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2019-02-14 16:49:40 |
Launchpad Janitor |
dkms (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2019-02-14 20:24:44 |
Launchpad Janitor |
dkms (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|