2017-08-02 18:48:26 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2017-09-29 17:43:20 |
Francis Ginther |
tags |
|
id-59821aa3fa9de00c95f71670 |
|
2017-12-21 19:31:19 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Xenial |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim (Ubuntu Xenial) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Xenial) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Artful |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim (Ubuntu Artful) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Artful) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Zesty |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim (Ubuntu Zesty) |
|
2017-12-21 19:33:07 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Zesty) |
|
2018-01-12 18:57:19 |
Mathieu Trudel-Lapierre |
description |
We want to enable validation and enroll a new key in shim all at the same time on upgrade from previous releases.
Curently, shim will wipe out all pending variables when it's done processing one of them (because it wants to reboot immediately after that action). That means if we re-enable validation, we lose the request to enroll the key, and vice-versa.
This needs fixing as it would otherwise badly impact upgrades from zesty and earlier; where we might have walked users through disabling validation. |
[Impact]
[Test cases]
First, update shim to the newest version.
= Boot test =
1) Reboot.
2) Validate that the system boots correctly in UEFI mode.
= Key enrollment =
1) Create a new x.509 certificate to import into MOK.
2) Run 'mokutil --import cert.der'
3) Reboot
4) Execute the steps described on screen to enroll the new key.
= Toggling validation =
1) Run 'mokutil --disable-validation'
2) Reboot.
3) Follow the steps on screen to toggle validation.
4) Boot to the system, validate that validation is disabled:
$ sudo hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The output should read the last byte as a 1.
5) Run 'mokutil --enable-validation'
6) Reboot.
7) Follow the steps on screen to toggle validation.
8) Boot to the system, validate that validation is enabled again:
$ hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The file should not exist.
= Toggling validation and enrolling =
1) Disable validation, as above, and reboot into the system.
2) Create a new x.509 certificate to import into MOK.
3) Run 'mokutil --import cert.der'
4) Run 'mokutil --enable-validation'
5) Reboot.
6) Follow the steps on screen to proceed through toggling validation in shim.
Once that step is done, you should be returned to the MokManager menu to complete further steps.
7) Follow the steps on screen to enroll the new key.
Once completed, you should have the option at the bottom of the menu to Reboot.
8) Reboot into the system.
9) Validate that MOK validation is enabled and the new key is enrolled:
Run:
$ sudo hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-*
The file should not exist.
Then run:
$ sudo cat /proc/keys
And make sure the key you enrolled is present.
[Regression potential]
Failure to boot or validate validly signed EFI binaries (bootloader) might be possible regressions. The shim update modifies the enrollment process for new keys, and as such it might also be possible for the enrollment of a new key to fail in MokManager, rendering the validation process unstable: it may fail to validate validly signed EFI binaries signed by keys already present in the database or that were to be enrolled.
---
We want to enable validation and enroll a new key in shim all at the same time on upgrade from previous releases.
Curently, shim will wipe out all pending variables when it's done processing one of them (because it wants to reboot immediately after that action). That means if we re-enable validation, we lose the request to enroll the key, and vice-versa.
This needs fixing as it would otherwise badly impact upgrades from zesty and earlier; where we might have walked users through disabling validation. |
|
2018-01-15 16:37:40 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
New |
Fix Released |
|
2018-01-16 21:10:15 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2 (Ubuntu) |
|
2018-01-16 21:10:25 |
Mathieu Trudel-Lapierre |
bug task added |
|
grub2-signed (Ubuntu) |
|
2018-01-16 21:10:37 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu): status |
New |
In Progress |
|
2018-01-16 21:10:47 |
Mathieu Trudel-Lapierre |
grub2-signed (Ubuntu): status |
New |
In Progress |
|
2018-01-22 17:01:50 |
Łukasz Zemczak |
shim-signed (Ubuntu Artful): status |
New |
Fix Committed |
|
2018-01-22 17:01:53 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-01-22 17:01:56 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2018-01-22 17:02:00 |
Łukasz Zemczak |
tags |
id-59821aa3fa9de00c95f71670 |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful |
|
2018-01-22 17:03:21 |
Łukasz Zemczak |
grub2 (Ubuntu Artful): status |
New |
Fix Committed |
|
2018-01-22 17:04:30 |
Łukasz Zemczak |
grub2-signed (Ubuntu Artful): status |
New |
Fix Committed |
|
2018-01-22 18:10:45 |
Łukasz Zemczak |
shim-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-01-22 18:10:53 |
Łukasz Zemczak |
tags |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful verification-needed-xenial |
|
2018-01-22 18:11:53 |
Łukasz Zemczak |
grub2 (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-01-22 18:13:18 |
Łukasz Zemczak |
grub2-signed (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-01-26 23:27:49 |
Launchpad Janitor |
grub2-signed (Ubuntu): status |
In Progress |
Fix Released |
|
2018-01-26 23:27:50 |
Launchpad Janitor |
grub2 (Ubuntu): status |
In Progress |
Fix Released |
|
2018-02-01 20:30:46 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Brian Murray |
2018-02-01 20:30:48 |
Ubuntu Foundations Team Bug Bot |
tags |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful verification-needed-xenial |
id-59821aa3fa9de00c95f71670 verification-failed verification-needed verification-needed-artful verification-needed-xenial |
|
2018-02-01 20:58:14 |
Steve Langasek |
tags |
id-59821aa3fa9de00c95f71670 verification-failed verification-needed verification-needed-artful verification-needed-xenial |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful verification-needed-xenial |
|
2018-02-02 14:52:28 |
Mathieu Trudel-Lapierre |
tags |
id-59821aa3fa9de00c95f71670 verification-needed verification-needed-artful verification-needed-xenial |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial |
|
2018-02-02 15:13:11 |
Mathieu Trudel-Lapierre |
shim (Ubuntu): status |
New |
Fix Released |
|
2018-02-02 15:13:21 |
Mathieu Trudel-Lapierre |
shim (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-02-02 15:13:32 |
Mathieu Trudel-Lapierre |
shim (Ubuntu Zesty): status |
New |
Won't Fix |
|
2018-02-02 15:13:43 |
Mathieu Trudel-Lapierre |
shim (Ubuntu Artful): status |
New |
Fix Committed |
|
2018-02-02 15:13:52 |
Mathieu Trudel-Lapierre |
grub2 (Ubuntu Zesty): status |
New |
Won't Fix |
|
2018-02-02 15:14:03 |
Mathieu Trudel-Lapierre |
grub2-signed (Ubuntu Zesty): status |
New |
Won't Fix |
|
2018-02-02 15:14:14 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Zesty): status |
New |
Won't Fix |
|
2018-02-05 08:57:16 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-02-05 08:57:21 |
Launchpad Janitor |
grub2-signed (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-02-05 08:57:25 |
Launchpad Janitor |
shim-signed (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-02-05 09:07:17 |
Launchpad Janitor |
grub2 (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-02-05 09:08:23 |
Launchpad Janitor |
grub2 (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-02-05 09:08:34 |
Launchpad Janitor |
grub2-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-02-05 09:08:38 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-08-15 00:10:37 |
Steve Langasek |
grub2 (Ubuntu Trusty): status |
New |
Fix Committed |
|
2018-08-15 00:10:42 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-08-15 00:10:49 |
Steve Langasek |
tags |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
|
2018-08-15 00:13:16 |
Steve Langasek |
grub2-signed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2018-08-31 13:28:21 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2018-09-03 14:19:12 |
Mauricio Faria de Oliveira |
bug |
|
|
added subscriber Mauricio Faria de Oliveira |
2018-09-03 17:34:32 |
Mauricio Faria de Oliveira |
attachment added |
|
gnu-efi-for-shim-13-on-trusty.debdiff https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1708245/+attachment/5184145/+files/gnu-efi-for-shim-13-on-trusty.debdiff |
|
2018-09-05 06:30:58 |
Steve Langasek |
shim-signed (Ubuntu Trusty): status |
New |
Fix Committed |
|
2018-09-05 19:44:53 |
Steve Langasek |
tags |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
|
2018-09-05 20:48:22 |
Steve Langasek |
tags |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-failed-trusty verification-needed |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
|
2018-09-07 21:00:00 |
dann frazier |
bug |
|
|
added subscriber dann frazier |
2018-09-10 14:53:35 |
Mauricio Faria de Oliveira |
tags |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-xenial verification-needed verification-needed-trusty |
id-59821aa3fa9de00c95f71670 verification-done-artful verification-done-trusty verification-done-xenial verification-needed |
|
2018-09-13 09:33:01 |
Launchpad Janitor |
grub2-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-09-13 09:33:13 |
Launchpad Janitor |
shim-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-09-13 09:43:14 |
Launchpad Janitor |
grub2 (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-09-13 16:54:56 |
Steve Langasek |
shim (Ubuntu Artful): status |
Fix Committed |
Fix Released |
|
2018-09-13 16:56:27 |
Steve Langasek |
shim (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|