[Kernel-packages] [Bug 1574727] [shim-signed/wily] possible regression found
As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily- proposed was performed and bug 1596230 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot- stop-nagging" to bug 1596230 (not this bug). Thanks! ** Tags added: verification-failed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Invalid Status in grub2-signed source package in Trusty: Invalid Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: Invalid Status in grub2-signed source package in Wily: Invalid Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: In Progress Status in grub2-signed source package in Xenial: In Progress Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed = 1) Install system; upgrade to new packages 1b) Verify /proc/sys/kernel/secure_boot shows 1. 1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0. 2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable Secure Boot if it's not already disabled. 3) Run 'sudo update-secureboot-policy'; validate you are not prompted again to disable Secure Boot. 4) Reboot; follow MOK steps to disable Secure Boot. 4b) Verify /proc/sys/kernel/secure_boot shows 1. 4c) Verify
[Kernel-packages] [Bug 1574727] [shim-signed/wily] possible regression found
As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily- proposed was performed and bug 1596230 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot- stop-nagging" to bug 1596230 (not this bug). Thanks! ** Tags added: verification-failed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed = 1) Install system; upgrade to new packages 1b) Verify /proc/sys/kernel/secure_boot shows 1. 1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0. 2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable Secure Boot if it's not already disabled. 3) Run 'sudo update-secureboot-policy'; validate you are not prompted again to disable Secure Boot. 4) Reboot; follow MOK steps to disable Secure Boot. 4b) Verify /proc/sys/kernel/secure_boot shows 1. 4c) Verify
[Kernel-packages] [Bug 1574727] [shim-signed/wily] possible regression found
As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of shim-signed from wily- proposed was performed and bug 1596230 was found. Please investigate that bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot- stop-nagging" to bug 1596230 (not this bug). Thanks! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI Status in dkms package in Ubuntu: Fix Released Status in efibootmgr package in Ubuntu: Fix Released Status in efivar package in Ubuntu: Fix Released Status in grub2 package in Ubuntu: New Status in grub2-signed package in Ubuntu: New Status in mokutil package in Ubuntu: Fix Released Status in shim package in Ubuntu: New Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Precise: New Status in efibootmgr source package in Precise: Invalid Status in efivar source package in Precise: Fix Committed Status in grub2 source package in Precise: New Status in grub2-signed source package in Precise: New Status in mokutil source package in Precise: Fix Committed Status in shim source package in Precise: New Status in shim-signed source package in Precise: Fix Committed Status in dkms source package in Trusty: Fix Committed Status in efibootmgr source package in Trusty: Invalid Status in efivar source package in Trusty: Fix Committed Status in grub2 source package in Trusty: Fix Committed Status in grub2-signed source package in Trusty: Fix Committed Status in mokutil source package in Trusty: Fix Committed Status in shim source package in Trusty: New Status in shim-signed source package in Trusty: Fix Committed Status in dkms source package in Wily: Fix Committed Status in efibootmgr source package in Wily: Fix Released Status in efivar source package in Wily: Fix Released Status in grub2 source package in Wily: New Status in grub2-signed source package in Wily: New Status in mokutil source package in Wily: Fix Committed Status in shim source package in Wily: New Status in shim-signed source package in Wily: Fix Committed Status in dkms source package in Xenial: Fix Released Status in efibootmgr source package in Xenial: Fix Released Status in efivar source package in Xenial: Fix Released Status in grub2 source package in Xenial: Fix Committed Status in grub2-signed source package in Xenial: Fix Committed Status in mokutil source package in Xenial: Fix Released Status in shim source package in Xenial: New Status in shim-signed source package in Xenial: Fix Committed Bug description: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: = mokutil = Adding a MOK key: 1) Install system 2) Run 'mokutil --import ' to import a signing certificate. 3) On reboot; validate MOK prompts for new MOK key to add. Toggling Secure Boot state: 1) Install system 2) mokutil --enable-validationormokutil --disable-validation 3) Validate that on reboot MOK prompts to change Secure Boot state. Listing keys: 1) mokutil --list-enrolled -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. = efivar = libefivar0 gets tested via the use of mokutil. Since it is a library with no directly usable binaries; we rely on mokutil / sbsigntool / efibootmgr to do testing. 1) Run efibootmgr -v ; verify it lists BootEntries. 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. = shim-signed = 1) Install system; upgrade to new packages 1b) Verify /proc/sys/kernel/secure_boot shows 1. 1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0. 2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable Secure Boot if it's not already disabled. 3) Run 'sudo update-secureboot-policy'; validate you are not prompted again to disable Secure Boot. 4) Reboot; follow MOK steps to disable Secure Boot. 4b) Verify /proc/sys/kernel/secure_boot shows 1. 4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
