ubiquity prompts for a MOK password that it then does not use

Bug #1856410 reported by Steve Langasek
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubiquity (Ubuntu)
Undecided
Unassigned
Focal
Undecided
Unassigned
ubuntu-drivers-common (Ubuntu)
High
Alberto Milone
Focal
High
Alberto Milone

Bug Description

When opting to install non-free drivers on my new laptop, ubiquity tells me that:

  Installing third-party drivers requires configuring Secure Boot. To do this,
  you need to choose a security key now, and enter it when the system restarts.

And it forces me to choose a password.

However, the only hardware on my system that has non-free drivers is nvidia; and thanks to linux-restricted-modules, it should not be necessary to use locally-built dkms modules for nvidia (but see also https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules/+bug/1856407).

I should not be prompted to create another password for a thing before we know it's actually going to be needed / used. This means ubiquity should know to only prompt for a password and invoke mokutil if proprietary drivers other than linux-modules-nvidia will actually be installed.

Also, note that the unlike ubiquity, dkms/shim-signed debconf handling of the secureboot does not use a 'password' field type. This is not a sensitive password that must be kept secret, it is only used to prove to MokManager when running from UEFI that the key enrollment request came from the person who has physical control of the hardware and is used one time, then discarded. So there's really no need to hide the text being entered in this field.

Steve Langasek (vorlon)
Changed in ubiquity (Ubuntu Focal):
milestone: none → ubuntu-20.04.1
Revision history for this message
Didier Roche (didrocks) wrote :

Confirming

Changed in ubiquity (Ubuntu Focal):
status: New → Confirmed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

1) ubiquity already does list-oem which can query from ubuntu-drivers-common if any oem stuff needs to happen

2) ubuntu-drivers-common should provide '--package-list' option on the regular list command too

3) this way ubiquity can run 'list' with '--package-list' ahead of the prepare stage to peak, if any dkms modules would get installed.

4) then ubiquity would be able to show the right ui when people tick third-party drivers, i.e. determine if mok is needed or not.

5) under secureboot however, I don't think ubiquity should be trying to install any dkms drivers as they will all fail to load. Thus it can even skip calling `install` on them altogether.

Changed in ubuntu-drivers-common (Ubuntu):
importance: Undecided → High
Changed in ubuntu-drivers-common (Ubuntu Focal):
importance: Undecided → High
Changed in ubuntu-drivers-common (Ubuntu):
status: New → Triaged
Changed in ubuntu-drivers-common (Ubuntu Focal):
status: New → Triaged
Changed in ubuntu-drivers-common (Ubuntu):
assignee: nobody → Alberto Milone (albertomilone)
Changed in ubuntu-drivers-common (Ubuntu Focal):
assignee: nobody → Alberto Milone (albertomilone)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers