[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
** Tags added: id-5bbd25580c30e754dd2d61ed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f- 0ubuntu2~14.04.1 --- mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~14.04.1) trusty; urgency=medium * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 14.04. (LP: #1797011) -- Mathieu Trudel-Lapierre Thu, 11 Oct 2018 14:55:12 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f- 0ubuntu2~16.04.1 --- mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1) xenial; urgency=medium * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 16.04. (LP: #1797011) -- Mathieu Trudel-Lapierre Thu, 11 Oct 2018 14:55:12 -0400 ** Changed in: mokutil (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: mokutil (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Verification-done for xenial: mokutil 0.3.0+1538710437.fb6250f-0ubuntu2~16.04.1 Verification-done for trusty: mokutil 0.3.0+1538710437.fb6250f-0ubuntu2~14.04.1 Verified that 'mokutil --reset', 'mokutil --export --db', 'mokutil --export --mok' as well as setting a timeout via 'mokutil --timeout' are all working as expected. ** Tags removed: id-5bbd25580c30e754dd2d61ed verification-needed verification-needed-trusty verification-needed-xenial ** Tags added: verification-done-trusty verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
** Tags added: id-5bbd25580c30e754dd2d61ed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Hello Mathieu, or anyone else affected, Accepted mokutil into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0+1538710437.fb6250f- 0ubuntu2~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: mokutil (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-xenial ** Changed in: mokutil (Ubuntu Trusty) Status: New => Fix Committed ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f- 0ubuntu2~18.04.1 --- mokutil (0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1) bionic; urgency=medium * Backport mokutil 0.3.0+1538710437.fb6250f-0ubuntu2 to 18.04. (LP: #1797011) -- Mathieu Trudel-Lapierre Thu, 11 Oct 2018 14:55:12 -0400 ** Changed in: mokutil (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
** Description changed: [Impact] - All Ubuntu users on UEFI systems + Potentially any Ubuntu users on UEFI systems; as mokutil is used to control from the userland the behavior of Secure Boot via shim. + + New features have been introduced in mokutil that we'll want to make use + of in supported releases along with the new shim updates: + + - Better control of timeout for the MokManager prompts + - Exporting PK, KEK, DB, MOK keys to be used to streamline upgrades and avoid failing upgrades when custom-signed kernels are in use. [Test case] == Disabling timeout == 1) Run 'sudo mokutil --timeout -1'. 2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager) 2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu. == Changing timeout == 1) Run 'sudo mokutil --timeout 666'. 2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager) 2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input. == Exporting keys == 1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc. 2) Validate that mokutil allows exporting the contents of DB, KEK, etc. [Regression potential] This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update. --- Update mokutil to a git snapshot of fb6250f2. Changes since cca7219 (current git snapshot in cosmic): fb6250f Update TODO af2387a Rename export_moks as export_db_keys 4efbb0e Add support for exporting other keys f0217e5 add new --mok argument 73c045b set list-enrolled command as default for some arguments 382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled 303ee33 Correct help: --set-timeout is really --timeout 385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds c8b26c2 Add the type casting to silence the warning -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
> All Ubuntu users on UEFI systems All Ubuntu users on UEIF systems...what? Since I don't understand what bug is being fixed here, I'll move on. I guess other SRU team members must understand the background already, so I guess they can manage the release if they're satisfied, or if you want to update the bug description so that others can understand it, I'm happy to look again. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Verification-done for mokutil 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 on bionic: I have verified that timeout, export, and reset / toggle-validation features in mokutil all work, as a verification for the new features and smoketesting for the existing features already in use. When using timeout, export, reset and toggle-validation, mokutil correctly writes the variables in the firmware that cause the system to boot next into MokManager to process the requests. ubuntu@lucky-moth:~$ apt-cache policy mokutil mokutil: Installed: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 Candidate: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 Version table: *** 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 501 -1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 0.3.0-0ubuntu5 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages ubuntu@lucky-moth:~$ sudo mokutil --export --kek ubuntu@lucky-moth:~$ openssl x509 -inform DER -in KEK-0001.der -text -noout Certificate: Data: Version: 1 (0x0) Serial Number: 94:cb:af:49:cd:56:a7:d8 Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-de...@lists.ubuntu.com Validity Not Before: Jun 20 21:48:46 2018 GMT Not After : Jun 17 21:48:46 2028 GMT Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-de...@lists.ubuntu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [...] ** Tags removed: verification-needed verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Hello Mathieu, or anyone else affected, Accepted mokutil into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0+1538710437.fb6250f- 0ubuntu2~18.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: mokutil (Ubuntu Bionic) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
This bug was fixed in the package mokutil - 0.3.0+1538710437.fb6250f- 0ubuntu2 --- mokutil (0.3.0+1538710437.fb6250f-0ubuntu2) cosmic; urgency=medium * debian/patches/int-signedness.patch: Fix compile failure on platforms where int != unsigned int. -- Steve Langasek Wed, 10 Oct 2018 22:41:15 -0700 ** Changed in: mokutil (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
FFe approved. Test case not needed for an FFe, ignoring and have not reviewed. ** Changed in: mokutil (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Package builds and installs fine (see attached build log): ╭─ mtrudel@demeter …/cosmic ╰─ sudo dpkg -i mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64.deb [sudo] password for mtrudel: (Reading database ... 148467 files and directories currently installed.) Preparing to unpack mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64.deb ... Unpacking mokutil (0.3.0+1538710437.fb6250f-0ubuntu1) over (0.3.0+1531796165.cca7219-0ubuntu1) ... Setting up mokutil (0.3.0+1538710437.fb6250f-0ubuntu1) ... Processing triggers for man-db (2.8.4-2) ... ** Attachment added: "mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64-2018-10-10T00:52:21Z.build" https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+attachment/5199516/+files/mokutil_0.3.0+1538710437.fb6250f-0ubuntu1_amd64-2018-10-10T00%3A52%3A21Z.build -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
THe principal feature we need here is --export; which will allow us to export keys from the firmware and compare kernel signatures to figure out whether kernels are signed with trusted keys, which will improve the experience on upgrades from previous releases. This is especially relevant in the event someone installs a package from the kernel PPA and re-signs it (or imports the certificate) to keep Secure Boot validation enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs