backport needed to enable users to reset SBAT level
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
mokutil (Ubuntu) | ||||||
Bionic |
Fix Released
|
High
|
Steve Langasek | |||
Focal |
Fix Released
|
High
|
Unassigned | |||
Jammy |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
After installing the most recent point releases of Ubuntu (Ubuntu 20.04.6, 22.04.2, or 23.04 beta), if the user has SecureBoot enabled (which is definitely recommended on UEFI systems) they will subsequently be unable to boot older OS install media which has not bumped its SBAT level since December 2022.
While this is the correct default security policy as explained at https:/
In order to clear the SBAT level recorded in firmware, we need an updated version of mokutil corresponding to the shim which has been backported in these releases.
[Test Plan]
Preparation:
* Create a directory for testing:
$ mkdir test-lp2015664
$ cd test-lp2015664
* Install ovmf and qemu-system-x86 packages:
$ sudo apt install ovmf qemu-system-x86 -y
* Download 22.04.2, 22.04.1, and 20.04.5 ISOs:
$ wget https:/
$ wget https:/
$ wget https:/
* Download the secureboot-vm script:
$ wget https:/
$ chmod +x secureboot-vm
Test for Jammy:
* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
$ ./secureboot-vm -cdrom ubuntu-
* Attempt to boot the 22.04.1 ISO, and observe the secureboot violation:
$ ./secureboot-vm -cdrom ubuntu-
* Disable secureboot so that the 22.04.1 ISO can boot (press ESC when the VM is starting to access the boot menu):
$ ./secureboot-vm -cdrom ubuntu-
* After disabling secureboot, the 22.04.1 ISO should boot. Select "Try Ubuntu", and install mokutil from jammy-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
$ sudo mokutil --set-verbosity true
$ sudo mokutil --set-sbat-policy delete
$ poweroff
* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
$ ./secureboot-vm -cdrom ubuntu-
$ grep -I sbat.c jammy-boot.log
sbat.c:
sbat.c:
sbat.c:
* Finally, re-enable secureboot and then boot into 22.04.1:
$ ./secureboot-vm -cdrom ubuntu-
* Select "Try Ubuntu", and once inside the live environment, double check that secureboot is enabled:
$ mokutil --sb-state
SecureBoot enabled
Test for Focal:
NOTE: I have not actually been able to reproduce a secureboot violation when booting focal media, so this test simply verifies that mokutil in focal can use the --set-sbat-policy option successfully.
* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
$ ./secureboot-vm -cdrom ubuntu-
* Disable secureboot and boot the 20.04.5 ISO (press ESC when the VM is starting to access the boot menu):
$ ./secureboot-vm -cdrom ubuntu-
* Select "Try Ubuntu", and install mokutil from focal-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
$ sudo mokutil --set-verbosity true
$ sudo mokutil --set-sbat-policy delete
$ poweroff
* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
$ ./secureboot-vm -cdrom ubuntu-
$ grep -I sbat.c focal-boot.log
sbat.c:
sbat.c:
sbat.c:
Test for Bionic (same as Jammy but with 18.04.6 ISO):
* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
$ ./secureboot-vm -cdrom ubuntu-
* Attempt to boot the 18.04.6 ISO, and observe the secureboot violation:
$ ./secureboot-vm -cdrom ubuntu-
* Disable secureboot so that the 18.04.6 ISO can boot (press ESC when the VM is starting to access the boot menu):
$ ./secureboot-vm -cdrom ubuntu-
* After disabling secureboot, the 18.04.6 ISO should boot. Select "Try Ubuntu", and install mokutil from bionic-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
$ sudo mokutil --set-verbosity true
$ sudo mokutil --set-sbat-policy delete
$ poweroff
* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
$ ./secureboot-vm -cdrom ubuntu-
$ grep -I sbat.c bionic-boot.log
sbat.c:
sbat.c:
sbat.c:
* Finally, re-enable secureboot and then boot into 18.04.6:
$ ./secureboot-vm -cdrom ubuntu-
* Select "Try Ubuntu", and once inside the live environment, double check that secureboot is enabled:
$ mokutil --sb-state
SecureBoot enabled
[Where problems could occur]
Since this SRU would backport an entire version to Jammy and Kinetic, I cannot practically examine all of the code changes to assess which features of mokutil have changed. The package only ships the mokutil binary and some documentation, so the regression potential is limited to the tool itself, which has a very limited and specific purpose.
[Other Info]
The entire purpose of the mokutil tool is to manage firmware entries that are read by MokManager, which is part of shim. Hence, it makes sense to keep shim and mokutil in lockstep, and this SRU could be considered HWE enablement. In particular, users need to be able to clear the SBAT level if needed to boot older install media.
Related branches
- Steve Langasek (community): Approve
-
Diff: 4122 lines (+2032/-979)23 files modifiedconfigure.ac (+2/-1)
data/mokutil (+9/-1)
debian/changelog (+52/-0)
debian/compat (+1/-1)
debian/control (+7/-5)
debian/patches/manually-define-LIBKEYUTILS-make-vars.patch (+21/-0)
debian/patches/series (+1/-1)
debian/rules (+1/-5)
dev/null (+0/-22)
man/mokutil.1 (+50/-20)
src/Makefile.am (+13/-1)
src/efi_hash.c (+183/-0)
src/efi_hash.h (+48/-0)
src/efi_x509.c (+242/-0)
src/efi_x509.h (+43/-0)
src/keyring.c (+111/-0)
src/keyring.h (+37/-0)
src/mokutil.c (+619/-911)
src/mokutil.h (+66/-0)
src/password-crypt.c (+7/-6)
src/password-crypt.h (+5/-5)
src/util.c (+456/-0)
src/util.h (+58/-0)
Changed in mokutil (Ubuntu): | |
importance: | Undecided → High |
tags: | added: fr-4055 |
Changed in mokutil (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in mokutil (Ubuntu Jammy): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
Changed in mokutil (Ubuntu Bionic): | |
status: | New → Triaged |
importance: | Undecided → High |
description: | updated |
description: | updated |
Changed in mokutil (Ubuntu Bionic): | |
status: | Triaged → In Progress |
assignee: | nobody → Steve Langasek (vorlon) |
tags: | removed: foundations-todo |
Uploads sponsored w/ minor adjustment to reduce debian/compat to 12 in focal as well, matching the depends, as lintian complained about level 13 not being ready then yet. Build output is binary identical.
$ md5sum {~/Downloads, ..}/mokutil_ 0.6.0-2~ 20.04.1_ amd64.deb 09153e4e9000373 62 /home/jak/ Downloads/ mokutil_ 0.6.0-2~ 20.04.1_ amd64.deb 09153e4e9000373 62 ../mokutil_ 0.6.0-2~ 20.04.1_ amd64.deb
f0db822020bf685
f0db822020bf685