Activity log for bug #1748983

Date Who What changed Old value New value Message
2018-02-12 20:20:49 Mathieu Trudel-Lapierre bug added bug
2018-02-12 20:20:57 Mathieu Trudel-Lapierre bug task added dkms (Ubuntu)
2018-02-12 20:21:05 Mathieu Trudel-Lapierre dkms (Ubuntu): status New In Progress
2018-02-12 20:21:08 Mathieu Trudel-Lapierre shim-signed (Ubuntu): status New In Progress
2018-02-12 20:21:10 Mathieu Trudel-Lapierre dkms (Ubuntu): importance Undecided High
2018-02-12 20:21:11 Mathieu Trudel-Lapierre shim-signed (Ubuntu): importance Undecided High
2018-02-12 20:21:13 Mathieu Trudel-Lapierre dkms (Ubuntu): assignee Mathieu Trudel-Lapierre (cyphermox)
2018-02-12 20:21:14 Mathieu Trudel-Lapierre shim-signed (Ubuntu): assignee Mathieu Trudel-Lapierre (cyphermox)
2018-02-12 20:24:30 Mathieu Trudel-Lapierre attachment added dkms.debdiff https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+attachment/5053788/+files/dkms.debdiff
2018-02-15 19:51:01 Francis Ginther tags id-594ae44541d5bf17021a5780
2018-04-19 13:44:31 Mathieu Trudel-Lapierre tags id-594ae44541d5bf17021a5780 block-proposed id-594ae44541d5bf17021a5780
2018-04-19 18:52:23 Steve Langasek dkms (Ubuntu Bionic): status In Progress Fix Committed
2018-04-19 18:52:26 Steve Langasek bug added subscriber Ubuntu Stable Release Updates Team
2018-04-19 18:52:27 Steve Langasek bug added subscriber SRU Verification
2018-04-19 18:52:31 Steve Langasek tags block-proposed id-594ae44541d5bf17021a5780 block-proposed id-594ae44541d5bf17021a5780 verification-needed verification-needed-bionic
2018-04-19 18:57:46 Steve Langasek bug task deleted dkms (Ubuntu Bionic)
2018-04-19 18:57:56 Steve Langasek tags block-proposed id-594ae44541d5bf17021a5780 verification-needed verification-needed-bionic block-proposed id-594ae44541d5bf17021a5780
2018-04-19 18:58:15 Steve Langasek removed subscriber Ubuntu Stable Release Updates Team
2018-04-19 18:58:15 Steve Langasek removed subscriber SRU Verification
2018-04-23 07:01:24 Steve Langasek tags block-proposed id-594ae44541d5bf17021a5780 id-594ae44541d5bf17021a5780
2018-04-23 07:17:04 Launchpad Janitor shim-signed (Ubuntu): status In Progress Fix Released
2018-04-23 07:17:08 Launchpad Janitor dkms (Ubuntu): status Fix Committed Fix Released
2019-02-05 20:33:46 Mathieu Trudel-Lapierre description shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. [SRU Justification] Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether. [Test case] 1) Install Ubuntu in UEFI mode. 2) Install bbswitch-dkms (or another -dkms package if useful on your system). 3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot). 4) Reboot; follow the steps in MokManagerL 4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so. 4b) If the system was previously with Secure Boot disabled in shim (ie. a dkms package was previously installed), pick "Change Secure Boot state". Follow the prompts to enter password characters. 5) Pick "Reboot". 6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>". 7) Run 'modprobe <module>' to validate that the module can be loaded explicilty. 8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys. [Regression potential] If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load. --- shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users.
2019-02-05 20:41:02 Mathieu Trudel-Lapierre description [SRU Justification] Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether. [Test case] 1) Install Ubuntu in UEFI mode. 2) Install bbswitch-dkms (or another -dkms package if useful on your system). 3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot). 4) Reboot; follow the steps in MokManagerL 4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so. 4b) If the system was previously with Secure Boot disabled in shim (ie. a dkms package was previously installed), pick "Change Secure Boot state". Follow the prompts to enter password characters. 5) Pick "Reboot". 6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>". 7) Run 'modprobe <module>' to validate that the module can be loaded explicilty. 8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys. [Regression potential] If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load. --- shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. [SRU Justification] Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether. [Test case] 1) Install Ubuntu in UEFI mode. 2) Install bbswitch-dkms (or another -dkms package if useful on your system). 3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot). 4) Reboot; follow the steps in MokManagerL 4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so. 4b) If a dkms package was previously installed on the system (so Secure Boot is currently disabled in shim), pick "Change Secure Boot state". Follow the prompts to enter password characters. The option will only show up if Secure Boot validation was found to be disabled. 5) Pick "Reboot". 6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>". 7) Run 'modprobe <module>' to validate that the module can be loaded explicilty. 8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys. [Regression potential] If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load. --- shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users.
2019-02-05 20:41:39 Brian Murray dkms (Ubuntu Xenial): status New Fix Committed
2019-02-05 20:41:41 Brian Murray bug added subscriber Ubuntu Stable Release Updates Team
2019-02-05 20:41:43 Brian Murray bug added subscriber SRU Verification
2019-02-05 20:41:47 Brian Murray tags id-594ae44541d5bf17021a5780 id-594ae44541d5bf17021a5780 verification-needed verification-needed-xenial
2019-02-05 20:48:43 Brian Murray shim-signed (Ubuntu Xenial): status New Fix Committed
2019-02-05 20:53:10 Brian Murray dkms (Ubuntu Trusty): status New Fix Committed
2019-02-05 20:53:14 Brian Murray tags id-594ae44541d5bf17021a5780 verification-needed verification-needed-xenial id-594ae44541d5bf17021a5780 verification-needed verification-needed-trusty verification-needed-xenial
2019-02-05 20:55:08 Brian Murray shim-signed (Ubuntu Trusty): status New Fix Committed
2019-02-13 16:35:49 Mathieu Trudel-Lapierre tags id-594ae44541d5bf17021a5780 verification-needed verification-needed-trusty verification-needed-xenial id-594ae44541d5bf17021a5780 verification-done-xenial verification-needed verification-needed-trusty
2019-02-13 19:19:32 Mathieu Trudel-Lapierre tags id-594ae44541d5bf17021a5780 verification-done-xenial verification-needed verification-needed-trusty id-594ae44541d5bf17021a5780 verification-done-trusty verification-done-xenial
2019-02-14 16:33:58 Ɓukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2019-02-14 16:44:00 Launchpad Janitor shim-signed (Ubuntu Xenial): status Fix Committed Fix Released
2019-02-14 16:49:33 Launchpad Janitor shim-signed (Ubuntu Trusty): status Fix Committed Fix Released
2019-02-14 16:49:40 Launchpad Janitor dkms (Ubuntu Trusty): status Fix Committed Fix Released
2019-02-14 20:24:44 Launchpad Janitor dkms (Ubuntu Xenial): status Fix Committed Fix Released