[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.17~14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Released Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Released Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.17~15.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Released Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Released Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.17~12.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Released Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Released Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.16~15.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.16~14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.16~12.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: Invalid Status in grub2-signed source package in Precise: Invalid Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.12 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed =
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted dkms into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-1.1ubuntu5.14.04.6 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: grub2 (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', a
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: shim-signed (Ubuntu Precise) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.9 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: grub2-signed (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.15~12.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted dkms into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu6.2 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: In Progress Status in dkms source package in Trusty: New Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: In Progress Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed = 1) Install system; upgrade to new package
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.15~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: In Progress Status in dkms source package in Trusty: New Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: In Progress Status in dkms source package in Wily: New Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: In Progress Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] Test cases here are separated by the components that need to be changed: = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated package beforehand) 3) Validate that dkms pro
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted dkms into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: grub2-signed (Ubuntu Xenial) Status: New => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: New Status in dkms source package in Trusty: New Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: New Status in dkms source package in Wily: New Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: New Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] Test cases here are separated by the components that need to be changed: = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.66.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: New Status in dkms source package in Trusty: New Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: New Status in dkms source package in Wily: New Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: New Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] Test cases here are separated by the components that need to be changed: = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated package beforehand) 3) Validate that dkms prompts you to disable shim vali
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted efibootmgr into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efibootmgr/0.12-4ubuntu1~14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Fix Committed Status in efivar source package in Precise: New Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: New Status in shim source package in Precise: New Status in shim-signed source package in Precise: New Status in dkms source package in Trusty: New Status in efibootmgr source package in Trusty: Fix Committed Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: New Status in dkms source package in Wily: New Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: New Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: New Status in grub2-signed source package in Xenial: New Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: New Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] Test cases here are separated by the components that need to be changed: = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated package beforehand) 3) Validate that dkms prompts you to disable shim validation. = shim = Boot
[Kernel-packages] [Bug 1574727] Please test proposed package
Hello Mathieu, or anyone else affected, Accepted mokutil into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~15.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in dkms source package in Precise: New Status in efivar source package in Precise: New Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: New Status in shim source package in Precise: New Status in dkms source package in Trusty: New Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: New Status in grub2-signed source package in Trusty: New Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in dkms source package in Wily: New Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in dkms source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: New Status in grub2-signed source package in Xenial: New Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] Test cases here are separated by the components that need to be changed: = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated package beforehand) 3) Validate that dkms prompts you to disable shim validation. = shim = Booting: -> Validate that it allows booting grubx64.efi signed with the old key. -> Validate that it allows booting grubx64.efi signed with the new key. Validation toggle: 0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present; If MokSBStateRT is preset: 1) sudo mokutil --enable-validation && sudo reboot 2) Validate that Mok asks you if you want to enable validation Otherwise: 1) sudo mokutil --disable-validation && sudo reboot 2) Validate that Mok asks you if you want to disable validation Finally: 3) Complete the process to t
