| 2019-12-15 01:08:36 |
Steve Langasek |
bug |
|
|
added bug |
| 2019-12-15 01:08:45 |
Steve Langasek |
bug task added |
|
ubiquity (Ubuntu) |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
nominated for series |
|
Ubuntu Eoan |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
bug task added |
|
ubiquity (Ubuntu Eoan) |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
bug task added |
|
shim-signed (Ubuntu Eoan) |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
bug task added |
|
ubiquity (Ubuntu Bionic) |
|
| 2019-12-15 01:08:54 |
Steve Langasek |
bug task added |
|
shim-signed (Ubuntu Bionic) |
|
| 2019-12-15 01:10:22 |
Steve Langasek |
description |
The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot. |
The version of MokManager currently in xenial-updates and later supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot. |
|
| 2019-12-15 01:11:06 |
Steve Langasek |
ubiquity (Ubuntu Eoan): status |
New |
Won't Fix |
|
| 2019-12-15 01:13:08 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376815 |
|
| 2019-12-15 01:16:37 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376816 |
|
| 2019-12-15 04:34:31 |
Steve Langasek |
shim-signed (Ubuntu Bionic): status |
New |
In Progress |
|
| 2019-12-15 04:34:33 |
Steve Langasek |
shim-signed (Ubuntu): status |
New |
Fix Committed |
|
| 2019-12-15 04:37:20 |
Steve Langasek |
description |
The version of MokManager currently in xenial-updates and later supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot. |
[SRU Justification]
The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot.
[Test case]
1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
2. Set a password to use for MOK enrollment.
3. Reboot.
4. Observe that there is a countdown on MokManager. Let the timer expire.
5. Install the shim-signed package from -proposed.
6. Purge the virtualbox-dkms and dkms packages.
7. sudo rm -rf /var/lib/shim-signed.
8. Repeat steps 1 through 3.
9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute). |
|
| 2019-12-15 05:04:01 |
Steve Langasek |
description |
[SRU Justification]
The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot.
[Test case]
1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
2. Set a password to use for MOK enrollment.
3. Reboot.
4. Observe that there is a countdown on MokManager. Let the timer expire.
5. Install the shim-signed package from -proposed.
6. Purge the virtualbox-dkms and dkms packages.
7. sudo rm -rf /var/lib/shim-signed.
8. Repeat steps 1 through 3.
9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute). |
[SRU Justification]
The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot.
[Test case]
1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
2. Set a password to use for MOK enrollment.
3. Reboot.
4. Observe that there is a countdown on MokManager. Let the timer expire.
5. Install the shim-signed package from -proposed.
6. Purge the virtualbox-dkms and dkms packages.
7. sudo rm -rf /var/lib/shim-signed.
8. Repeat steps 1 through 3.
9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute).
[Regression potential]
If a wrong version of mokutil is called with this additional argument and doesn't support it and as a result mokutil fails, this could result in users not having their MOK enrolled who otherwise would have.
This prevents systems which have a pending MOK enrollment due to dkms from rebooting unattended back to Ubuntu. If anyone is automating configuration of dkms/shim, during an install or otherwise, and expecting the system to reboot back to Ubuntu without intervention at the console, this will stop working. However, such a system is broken with respect to dkms modules and SecureBoot anyway; the user should either not install dkms modules, or plan for handling the MOK request at the console (serial console or otherwise) on the next reboot.
If the user does not have console access to the system but does have power access, they can still bypass MokManager by power cycling the system, again giving them a system which is booted but does not properly support the dkms modules under SecureBoot. |
|
| 2019-12-15 05:54:14 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2019-12-30 13:54:28 |
Launchpad Janitor |
ubiquity (Ubuntu): status |
New |
Confirmed |
|
| 2019-12-30 13:54:28 |
Launchpad Janitor |
ubiquity (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2019-12-30 13:54:28 |
Launchpad Janitor |
shim-signed (Ubuntu Eoan): status |
New |
Confirmed |
|
| 2020-02-07 17:15:13 |
Timo Aaltonen |
shim-signed (Ubuntu Eoan): status |
Confirmed |
Fix Committed |
|
| 2020-02-07 17:15:17 |
Timo Aaltonen |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2020-02-07 17:15:19 |
Timo Aaltonen |
bug |
|
|
added subscriber SRU Verification |
| 2020-02-07 17:15:27 |
Timo Aaltonen |
tags |
|
verification-needed verification-needed-eoan |
|
| 2020-02-07 17:17:04 |
Timo Aaltonen |
shim-signed (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2020-02-07 17:17:19 |
Timo Aaltonen |
tags |
verification-needed verification-needed-eoan |
verification-needed verification-needed-bionic verification-needed-eoan |
|
| 2020-02-10 17:53:34 |
Steve Langasek |
tags |
verification-needed verification-needed-bionic verification-needed-eoan |
verification-failed-bionic verification-needed verification-needed-eoan |
|
| 2020-02-10 18:26:09 |
Łukasz Zemczak |
tags |
verification-failed-bionic verification-needed verification-needed-eoan |
verification-needed verification-needed-bionic verification-needed-eoan |
|
| 2020-03-21 06:12:11 |
Mathew Hodson |
bug task deleted |
ubiquity (Ubuntu Eoan) |
|
|
| 2020-03-21 06:12:19 |
Mathew Hodson |
bug task deleted |
ubiquity (Ubuntu Bionic) |
|
|
| 2020-03-21 06:12:25 |
Mathew Hodson |
bug task deleted |
ubiquity (Ubuntu) |
|
|
| 2020-04-16 06:46:10 |
Steve Langasek |
bug task added |
|
ubiquity (Ubuntu) |
|
| 2020-04-16 06:50:50 |
Steve Langasek |
ubiquity (Ubuntu): status |
New |
Triaged |
|
| 2020-04-16 06:50:54 |
Steve Langasek |
ubiquity (Ubuntu): importance |
Undecided |
High |
|
| 2020-04-16 11:08:36 |
Jean-Baptiste Lallement |
ubiquity (Ubuntu): status |
Triaged |
Fix Committed |
|
| 2020-04-17 04:14:07 |
Launchpad Janitor |
ubiquity (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2020-07-17 19:29:29 |
Brian Murray |
tags |
verification-needed verification-needed-bionic verification-needed-eoan |
removal-candidate verification-needed verification-needed-bionic verification-needed-eoan |
|
| 2020-08-04 13:26:35 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/+merge/388660 |
|
| 2020-08-04 19:14:57 |
Steve Langasek |
shim-signed (Ubuntu Eoan): status |
Fix Committed |
Won't Fix |
|
| 2020-08-04 19:15:54 |
Steve Langasek |
tags |
removal-candidate verification-needed verification-needed-bionic verification-needed-eoan |
emoval-candidate verification-done-bionic verification-needed |
|
| 2020-08-04 19:16:02 |
Steve Langasek |
tags |
emoval-candidate verification-done-bionic verification-needed |
verification-done-bionic verification-needed |
|
| 2020-08-04 19:20:33 |
Launchpad Janitor |
shim-signed (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2020-08-04 19:20:39 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-05-14 10:59:59 |
Łukasz Zemczak |
shim-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
| 2021-05-14 11:00:01 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-05-14 11:00:07 |
Łukasz Zemczak |
tags |
verification-done-bionic verification-needed |
verification-done-bionic verification-needed verification-needed-xenial |
|
| 2021-06-28 13:56:24 |
Julian Andres Klode |
tags |
verification-done-bionic verification-needed verification-needed-xenial |
verification-done verification-done-bionic verification-done-xenial |
|
| 2021-07-19 12:35:10 |
Łukasz Zemczak |
tags |
verification-done verification-done-bionic verification-done-xenial |
verification-done-bionic verification-needed verification-needed-xenial |
|
| 2021-07-23 15:20:58 |
Julian Andres Klode |
tags |
verification-done-bionic verification-needed verification-needed-xenial |
verification-done verification-done-bionic verification-done-xenial |
|
| 2021-08-16 10:30:18 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
