group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #15883
[Bug 1673904] Re: update-secureboot-policy --enable does not work after dkms modules removed
This bug was fixed in the package shim-signed - 1.32~14.04.2
---------------
shim-signed (1.32~14.04.2) trusty; urgency=medium
* Backport shim-signed 1.32 to 14.04. (LP: #1700170)
shim-signed (1.32) artful; urgency=medium
* Handle cleanup of /var/lib/shim-signed on package purge.
shim-signed (1.31) artful; urgency=medium
* Fix regression in postinst when /var/lib/dkms does not exist.
(LP #1700195)
* Sort the list of dkms modules when recording.
shim-signed (1.30) artful; urgency=medium
* update-secureboot-policy: track the installed DKMS modules so we can skip
failing unattended upgrades if they hasn't changed (ie. if no new DKMS
modules have been installed, just honour the user's previous decision to
not disable shim validation). (LP: #1695578)
* update-secureboot-policy: allow re-enabling shim validation when no DKMS
packages are installed. (LP: #1673904)
* debian/source_shim-signed.py: add the textual representation of SecureBoot
and MokSBStateRT EFI variables rather than just adding the files directly;
also, make sure we include the relevant EFI bits from kernel log.
(LP: #1680279)
shim-signed (1.29) artful; urgency=medium
* Makefile: Generate BOOT$arch.CSV, for use with fallback.
* debian/rules: make sure we can do per-arch EFI files.
shim-signed (1.28) zesty; urgency=medium
* Adjust apport hook to include key files that tell us about the system's
current SB state. LP: #1680279.
shim-signed (1.27) zesty; urgency=medium
[ Steve Langasek ]
* Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
* update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
up in an infinite loop. LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
--enable, but not on a request to --disable.
[ Mathieu Trudel-Lapierre ]
* update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)
shim-signed (1.23) zesty; urgency=medium
* debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.
shim-signed (1.22) yakkety; urgency=medium
* Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
* Update paths now that the shim binary has been renamed to include the
target architecture.
* debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.
shim-signed (1.21.3) vivid; urgency=medium
* No-change rebuild for shim 0.9+1465500757.14a5905.is.0.8-0ubuntu3.
shim-signed (1.21.2) vivid; urgency=medium
* Revert to signed shim from 0.8-0ubuntu2.
- shim.efi.signed originally built from shim 0.8-0ubuntu2 in wily.
shim-signed (1.20) yakkety; urgency=medium
* Update to the signed 0.9+1465500757.14a5905-0ubuntu1 binary from Microsoft.
(LP: #1581299)
-- Mathieu Trudel-Lapierre <cyphermox@xxxxxxxxxx> Mon, 10 Jul 2017
20:29:28 -0400
** Changed in: shim-signed (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1673904
Title:
update-secureboot-policy --enable does not work after dkms modules
removed
Status in shim-signed package in Ubuntu:
Fix Released
Status in shim-signed source package in Trusty:
Fix Released
Status in shim-signed source package in Xenial:
Fix Released
Status in shim-signed source package in Yakkety:
Fix Committed
Status in shim-signed source package in Zesty:
Fix Released
Bug description:
[Impact]
Re-enabling Secure Boot after DKMS packages are no longer needed is useful to benefit from the extra security afforded by having all bits of the bootloader and kernel signed by a proper key.
[Test Case]
(on a system with SHIM validation disabled)
1- Remove all dkms modules
2- Attempt to run 'sudo update-secureboot-policy --enable'
3- Observe the behavior.
With the fixed update-secureboot-policy script, you should be prompted
to re-enable shim validation; which is otherwise skipped with no
output with previous versions of the script in shim-signed.
[Regression Potential]
Possible regression from this update would be changes to expected behavior of the update-secureboot-policy script; such as being unable to correctly recognize the current state of Secure Boot and shim validation, or incorrectly returning before prompting for the password required to toggle shim validation when the shim validation state make sense to be changed (ie. prompting to enable when it is disabled only, prompting to disable only if it's currently enabled). Any change in proper prompting in a debconf non-interactive context could also be a regression from this update.
---
If I have disabled secureboot on my system via update-secureboot-
policy due to the presence of dkms modules, but subsequently remove
these dkms modules because I decide I don't like not having
secureboot, I cannot re-enable SB by running 'update-secureboot-policy
--enable'.
I think either the check for /var/lib/dkms should only apply when
update-secureboot-policy is called without arguments, or this check
should be encoded in the shim-signed postinst so that manual calls
from the commandline DWIM.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673904/+subscriptions