group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1595611] Re: Improve prompting for Secure Boot password

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1595611@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 Nov 2016 20:53:03 -0000
Reply-to: Bug 1595611 <1595611@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package shim-signed - 1.19~14.04.1

---------------
shim-signed (1.19~14.04.1) trusty; urgency=medium

  * update-secureboot-policy:
    - Add a --help option, document other options. (LP: #1604936)
    - Rework prompting to display our Secure Boot warning and explanation
      text more prominently, rather than forcing graphical users to hit
      "Help" to see the full explanation for why we ask about disabling
      Secure Boot. (LP: #1595611)

 -- Mathieu Trudel-Lapierre <cyphermox@xxxxxxxxxx>  Tue, 02 Aug 2016
15:18:33 -0400

** Changed in: shim-signed (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1595611

Title:
  Improve prompting for Secure Boot password

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Precise:
  In Progress
Status in shim-signed source package in Trusty:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Impact]
  On install and upgrade, shim-signed prompts users for disabling Secure Boot if DKMS packages are installed. The prompting was confusing, hard to see, and defaulted to not disabling Secure Boot.

  [Test case]
  (re-enable Secure Boot if necessary: 'sudo mokutil --enable-validation' and reboot)
  1) Update shim-signed on a system with dkms packages installed, where Secure Boot is enabled.
  Verify that as a first step you see an explanation of why you see the prompt (Secure Boot is enabled and you have third-party drivers).

  Also:
  Test upgrade from other release with DKMS packages installed, where Secure Boot is enabled; verify that you are prompted to disable Secure Boot, that the Disable Secure Boot checkbox is checked by default, and that you see an explanation text as a first step.

  [Regression Potential]
  This changes the default selection for disabling Secure Boot (picked by default), so quickly hitting "Next" will now move to prompting for the Secure Boot password to disable validation in shim; this breaks any users relying on blindly ignoring the prompts. Disabling Secure Boot will reduce the security of the system since it is no longer verified by UEFI signatures past loading the shim bootloader. In a true regression potential; should there be an issue with the prompting workflow in debconf, the usage of the debconf frontend may be impacted (for example, some particular frontend of debconf may fail (readline?))

  ---

  Current strings in debconf templates for asking for a Secure Boot
  password are suboptimal:

  Template: shim/secureboot_key
  Type: password
  _Description: Password:
   Please enter a password for disabling Secure Boot. It will be asked again
   after a reboot.

  Template: shim/secureboot_key_again
  Type: password
  _Description: Re-enter password to verify:
   Please enter the same password again to verify you have typed it correctly.

  This would show only the short description in the debconf GNOME
  frontend; which may not be passing sufficient information for users to
  understand what is expected of them, and that they really need to
  remember that password since it will be asked after a reboot.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1595611/+subscriptions