Improve prompting for Secure Boot password

Bug #1595611 reported by Mathieu Trudel-Lapierre on 2016-06-23
16
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)
Critical
Mathieu Trudel-Lapierre
Precise
Critical
Mathieu Trudel-Lapierre
Trusty
Critical
Mathieu Trudel-Lapierre
Xenial
Critical
Mathieu Trudel-Lapierre

Bug Description

[Impact]
On install and upgrade, shim-signed prompts users for disabling Secure Boot if DKMS packages are installed. The prompting was confusing, hard to see, and defaulted to not disabling Secure Boot.

[Test case]
(re-enable Secure Boot if necessary: 'sudo mokutil --enable-validation' and reboot)
1) Update shim-signed on a system with dkms packages installed, where Secure Boot is enabled.
Verify that as a first step you see an explanation of why you see the prompt (Secure Boot is enabled and you have third-party drivers).

Also:
Test upgrade from other release with DKMS packages installed, where Secure Boot is enabled; verify that you are prompted to disable Secure Boot, that the Disable Secure Boot checkbox is checked by default, and that you see an explanation text as a first step.

[Regression Potential]
This changes the default selection for disabling Secure Boot (picked by default), so quickly hitting "Next" will now move to prompting for the Secure Boot password to disable validation in shim; this breaks any users relying on blindly ignoring the prompts. Disabling Secure Boot will reduce the security of the system since it is no longer verified by UEFI signatures past loading the shim bootloader. In a true regression potential; should there be an issue with the prompting workflow in debconf, the usage of the debconf frontend may be impacted (for example, some particular frontend of debconf may fail (readline?))

---

Current strings in debconf templates for asking for a Secure Boot password are suboptimal:

Template: shim/secureboot_key
Type: password
_Description: Password:
 Please enter a password for disabling Secure Boot. It will be asked again
 after a reboot.

Template: shim/secureboot_key_again
Type: password
_Description: Re-enter password to verify:
 Please enter the same password again to verify you have typed it correctly.

This would show only the short description in the debconf GNOME frontend; which may not be passing sufficient information for users to understand what is expected of them, and that they really need to remember that password since it will be asked after a reboot.

I think we'll also want to use this bug report to track improvements to other aspects of the prompting, such as showing the large Secure Boot explanation text that is hidden behind the Help button otherwise.

Changed in shim-signed (Ubuntu):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.19

---------------
shim-signed (1.19) yakkety; urgency=medium

  * update-secureboot-policy:
    - Add a --help option, document other options. (LP: #1604936)
    - Rework prompting to display our Secure Boot warning and explanation
      text more prominently, rather than forcing graphical users to hit
      "Help" to see the full explanation for why we ask about disabling
      Secure Boot. (LP: #1595611)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 02 Aug 2016 11:01:50 -0400

Changed in shim-signed (Ubuntu):
status: In Progress → Fix Released
Changed in shim-signed (Ubuntu Precise):
status: New → In Progress
Changed in shim-signed (Ubuntu Trusty):
status: New → In Progress
Changed in shim-signed (Ubuntu Xenial):
status: New → In Progress
Changed in shim-signed (Ubuntu Precise):
importance: Undecided → Critical
Changed in shim-signed (Ubuntu Trusty):
importance: Undecided → Critical
Changed in shim-signed (Ubuntu Xenial):
importance: Undecided → Critical
Changed in shim-signed (Ubuntu Precise):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in shim-signed (Ubuntu Trusty):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
Changed in shim-signed (Ubuntu Xenial):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
description: updated

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.19~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Brian Murray (brian-murray) wrote :

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.19~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in shim-signed (Ubuntu Trusty):
status: In Progress → Fix Committed
Nara Huang (narahuang) wrote :

I could confirm the bug is fixed, now the UI would have default selection for "Yes" to disable secure boot, and have proper UI for password input.

tags: added: cqa-verified
Steve Langasek (vorlon) wrote :

Nara, which release did you test on?

Nara Huang (narahuang) wrote :

@Steve

The comment #5 is for trusty.

But today I tried it on Xenial, when updating shim-signed, there is no UI prompting anything.

tags: removed: cqa-verified
Nara Huang (narahuang) wrote :

Further info for #7:

The unit I test has two DKMS installed: intel-hid and oem-audio-hda-daily.
Run:
sudo apt install shim-signed

Then the update of shim-signed finished successfully, no UI appears.

Nara Huang (narahuang) wrote :

Another update for shim-signed in Xenial:

For comment #8, the unit I used has been configured to disable Secure Boot.
So it didn't show shim-signed UI.

Using another unit which is not configured to disable Secure Boot, shim-signed works correctly, just like it does in Trusty.

tags: added: verification-done
Steve Langasek (vorlon) on 2016-08-09
tags: added: verification-done-trusty verification-done-xenial
removed: verification-done
tags: removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.19~14.04.1

---------------
shim-signed (1.19~14.04.1) trusty; urgency=medium

  * update-secureboot-policy:
    - Add a --help option, document other options. (LP: #1604936)
    - Rework prompting to display our Secure Boot warning and explanation
      text more prominently, rather than forcing graphical users to hit
      "Help" to see the full explanation for why we ask about disabling
      Secure Boot. (LP: #1595611)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 02 Aug 2016 15:18:33 -0400

Changed in shim-signed (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.19~16.04.1

---------------
shim-signed (1.19~16.04.1) xenial; urgency=medium

  * update-secureboot-policy:
    - Add a --help option, document other options. (LP: #1604936)
    - Rework prompting to display our Secure Boot warning and explanation
      text more prominently, rather than forcing graphical users to hit
      "Help" to see the full explanation for why we ask about disabling
      Secure Boot. (LP: #1595611)

 -- Mathieu Trudel-Lapierre <email address hidden> Tue, 02 Aug 2016 15:24:24 -0400

Changed in shim-signed (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers