group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
Date: Wed, 01 Jun 2016 19:58:46 -0000
Reply-to: Bug 1574727 <1574727@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This efibootmgr upload to precise and trusty is not required; it was
only included because of a Breaks: from libefivar0 to older versions of
efibootmgr, but in 14.04 and older, efibootmgr does not depend on
libefivar0 at all so there is no runtime incompatibility.

The efivar in trusty should be adjusted to drop the versioned Breaks: on
efibootmgr; and I will remove the efibootmgr uploads from trusty-
proposed and precise-proposed.

** Changed in: efibootmgr (Ubuntu Precise)
       Status: Fix Committed => Invalid

** Changed in: efibootmgr (Ubuntu Trusty)
       Status: Fix Committed => Invalid

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  In Progress
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  <FIXME: add more test cases>

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_secureboot seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow specification
  - (shim) failing to load a properly-signed grub
  - (shim) accepting to load a badly-signed grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions