2016-06-23 15:45:32 |
Mathieu Trudel-Lapierre |
bug |
|
|
added bug |
2016-07-27 14:29:18 |
Ara Pulido |
bug |
|
|
added subscriber Ara Pulido |
2016-07-27 16:16:41 |
Anthony Wong |
bug |
|
|
added subscriber Anthony Wong |
2016-07-29 01:07:02 |
Jamie Chang |
bug |
|
|
added subscriber Jamie Chang |
2016-07-29 15:01:05 |
Kent Lin |
bug |
|
|
added subscriber Kent Lin |
2016-08-02 18:54:36 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): status |
New |
In Progress |
|
2016-08-02 18:54:38 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): importance |
Undecided |
Critical |
|
2016-08-02 18:54:40 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2016-08-02 20:33:23 |
Launchpad Janitor |
shim-signed (Ubuntu): status |
In Progress |
Fix Released |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Xenial |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Xenial) |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Trusty |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Trusty) |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
nominated for series |
|
Ubuntu Precise |
|
2016-08-03 01:35:11 |
Mathieu Trudel-Lapierre |
bug task added |
|
shim-signed (Ubuntu Precise) |
|
2016-08-03 01:35:20 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Precise): status |
New |
In Progress |
|
2016-08-03 01:35:22 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Trusty): status |
New |
In Progress |
|
2016-08-03 01:35:25 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Xenial): status |
New |
In Progress |
|
2016-08-03 01:35:27 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Precise): importance |
Undecided |
Critical |
|
2016-08-03 01:35:29 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Trusty): importance |
Undecided |
Critical |
|
2016-08-03 01:35:31 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Xenial): importance |
Undecided |
Critical |
|
2016-08-03 01:35:34 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Precise): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2016-08-03 01:35:36 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Trusty): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2016-08-03 01:35:38 |
Mathieu Trudel-Lapierre |
shim-signed (Ubuntu Xenial): assignee |
|
Mathieu Trudel-Lapierre (cyphermox) |
|
2016-08-03 01:44:20 |
Mathieu Trudel-Lapierre |
description |
Current strings in debconf templates for asking for a Secure Boot password are suboptimal:
Template: shim/secureboot_key
Type: password
_Description: Password:
Please enter a password for disabling Secure Boot. It will be asked again
after a reboot.
Template: shim/secureboot_key_again
Type: password
_Description: Re-enter password to verify:
Please enter the same password again to verify you have typed it correctly.
This would show only the short description in the debconf GNOME frontend; which may not be passing sufficient information for users to understand what is expected of them, and that they really need to remember that password since it will be asked after a reboot. |
[Impact]
On install and upgrade, shim-signed prompts users for disabling Secure Boot if DKMS packages are installed. The prompting was confusing, hard to see, and defaulted to not disabling Secure Boot.
[Test case]
(re-enable Secure Boot if necessary: 'sudo mokutil --enable-validation' and reboot)
1) Update shim-signed on a system with dkms packages installed, where Secure Boot is enabled.
Verify that as a first step you see an explanation of why you see the prompt (Secure Boot is enabled and you have third-party drivers).
Also:
Test upgrade from other release with DKMS packages installed, where Secure Boot is enabled; verify that you are prompted to disable Secure Boot, that the Disable Secure Boot checkbox is checked by default, and that you see an explanation text as a first step.
[Regression Potential]
This changes the default selection for disabling Secure Boot (picked by default), so quickly hitting "Next" will now move to prompting for the Secure Boot password to disable validation in shim; this breaks any users relying on blindly ignoring the prompts. Disabling Secure Boot will reduce the security of the system since it is no longer verified by UEFI signatures past loading the shim bootloader. In a true regression potential; should there be an issue with the prompting workflow in debconf, the usage of the debconf frontend may be impacted (for example, some particular frontend of debconf may fail (readline?))
---
Current strings in debconf templates for asking for a Secure Boot password are suboptimal:
Template: shim/secureboot_key
Type: password
_Description: Password:
Please enter a password for disabling Secure Boot. It will be asked again
after a reboot.
Template: shim/secureboot_key_again
Type: password
_Description: Re-enter password to verify:
Please enter the same password again to verify you have typed it correctly.
This would show only the short description in the debconf GNOME frontend; which may not be passing sufficient information for users to understand what is expected of them, and that they really need to remember that password since it will be asked after a reboot. |
|
2016-08-04 20:18:48 |
Brian Murray |
shim-signed (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2016-08-04 20:18:51 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-08-04 20:18:58 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2016-08-04 20:19:04 |
Brian Murray |
tags |
|
verification-needed |
|
2016-08-04 20:39:08 |
Brian Murray |
shim-signed (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2016-08-08 09:48:19 |
Nara Huang |
tags |
verification-needed |
cqa-verified verification-needed |
|
2016-08-09 03:03:49 |
Nara Huang |
tags |
cqa-verified verification-needed |
verification-needed |
|
2016-08-09 09:45:15 |
Nara Huang |
tags |
verification-needed |
verification-done verification-needed |
|
2016-08-09 17:52:12 |
Steve Langasek |
tags |
verification-done verification-needed |
verification-done-trusty verification-done-xenial verification-needed |
|
2016-08-09 17:55:06 |
Steve Langasek |
tags |
verification-done-trusty verification-done-xenial verification-needed |
verification-done-trusty verification-done-xenial |
|
2016-09-20 00:39:41 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/shim-signed |
|
2016-11-10 20:53:03 |
Launchpad Janitor |
shim-signed (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2016-11-10 20:53:10 |
Steve Langasek |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2016-11-10 20:53:35 |
Launchpad Janitor |
shim-signed (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2021-10-14 01:04:41 |
Steve Langasek |
shim-signed (Ubuntu Precise): status |
In Progress |
Won't Fix |
|