[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
This bug was fixed in the package shim-signed - 1.33.1~16.04.10 --- shim-signed (1.33.1~16.04.10) xenial; urgency=medium * Update to shim 15.4-0ubuntu7: - Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379) - Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383) - Fix accidental deletion of RT variables (LP: #1934506) (PR #387) - mok: relax the maximum variable size check (LP: #1934780) (PR #369) shim-signed (1.33.1~16.04.9) xenial; urgency=medium * Do not build a dual-signed shim (fixing regression from ~16.04.7), and disable verifying fbx64.efi and mmx64.efi certificates as xenial's sbverify is unable to (impish works fine) * Clean up debhelper log file accidentally imported into git during 16.04.7 import. shim-signed (1.33.1~16.04.8) xenial; urgency=medium * debian/*.postinst: Unconditionally call grub-install with --force-extra-removable, so that the \EFI\BOOT removable path as used in cloud images receives the updates. LP: #1930742. * Update to shim 15.4-0ubuntu5: - Stop addending vendor dbx to MokListXRT during MokListX mirroring. This is causing systems to run out of EFI storage space, or just hang up when trying to write it (LP: #1924605) (LP: #1928434) - Further relax the check for variable mirroring on non-secureboot systems avoiding boot failures on out of space conditons (pull request #372) - Don't unhook ExitBootServices() when EBS protection is disabled (LP: #1931136) (pull request #378) shim-signed (1.33.1~16.04.7) xenial; urgency=medium * New upstream release 15.4. LP: #1921134 * Update packaging to pull fb and mm from shim-signed package as in later releases, dropping the runtime dependency on shim. * Add download-signed script from linux-signed package * Add a versioned dependency on the mokutil that introduces --timeout, and call mokutil --timeout -1 so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422. * Add versioned dependencies on grub-efi-amd64-signed and grub2-common, to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible grub-install present when we are installing new shim to the ESP. * Include reworked Makefile from devel to better assert the integrity of the executables. -- Julian Andres Klode Fri, 16 Jul 2021 13:04:57 +0200 ** Changed in: shim-signed (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
The verification from 16.04.9 is also valid for 16.04.10, as only the shim binaries changed, and not the scripts ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Hello Steve, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done verification-done-xenial ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Verified for ...16.04.9. Timeout is there with old shim-signed, gone with new one :) ** Tags removed: verification-needed verification-needed-xenial ** Tags added: verification-done verification-done-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Hello Steve, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.33.1~16.04.7 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
This bug was fixed in the package shim-signed - 1.37~18.04.6 --- shim-signed (1.37~18.04.6) bionic; urgency=medium * Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187) thanks to Aleksander Miera for the patch. shim-signed (1.37~18.04.5) bionic; urgency=medium * Fix versioned dependency on mokutil so that it matches the version in bionic-updates. LP: #1862632. shim-signed (1.37~18.04.4) bionic; urgency=medium * Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422. * Add a versioned dependency on the mokutil that introduces --timeout. -- Matthieu Clemenceau Fri, 10 Jul 2020 14:27:41 -0500 ** Changed in: shim-signed (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
eoan is EOL, wontfixing. ** Changed in: shim-signed (Ubuntu Eoan) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
For bionic, this has been verified as a side-effect of verifying LP: #1869187. ** Tags removed: removal-candidate verification-needed-bionic verification-needed-eoan ** Tags added: emoval-candidate verification-done-bionic ** Tags removed: emoval-candidate -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Merge proposal linked: https://code.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/+merge/388660 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
This bug was fixed in the package ubiquity - 20.04.13 --- ubiquity (20.04.13) focal; urgency=medium [ Steve Langasek ] * Always invoke mokutil with --timeout -1 so that users don't miss the key enrollment on reboot and end up with broken dkms modules. LP: #1856422. [ Iain Lane ] * plugininstall: Don't modify oem_pkgs while we're iterating over it (LP: #1873146) * plugininstall: Don't bother calling do_install() if there's no packages [ Dimitri John Ledkov ] * Correctly install oem kernel flavour, when desired. * When validating new kernel, allow kernel version higher than 2.x * When keeping existing kernel, do not mark kernel image as manually instally, only the meta. * When removing a kernel, remove modules and meta. -- Dimitri John Ledkov Thu, 16 Apr 2020 22:56:34 +0100 ** Changed in: ubiquity (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Changed in: ubiquity (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Also affects: ubiquity (Ubuntu) Importance: Undecided Status: New ** Changed in: ubiquity (Ubuntu) Status: New => Triaged ** Changed in: ubiquity (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** No longer affects: ubiquity (Ubuntu Eoan) ** No longer affects: ubiquity (Ubuntu Bionic) ** No longer affects: ubiquity (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Hello Steve, or anyone else affected, Accepted shim-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.37~18.04.5 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-failed-bionic ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
shim-signed is verification-failed for bionic because the versioned dependency on mokutils is not satisfied (LP: #1862632). ** Tags removed: verification-needed-bionic ** Tags added: verification-failed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Hello Steve, or anyone else affected, Accepted shim-signed into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.39.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: shim-signed (Ubuntu Eoan) Status: Confirmed => Fix Committed ** Tags added: verification-needed verification-needed-eoan ** Changed in: shim-signed (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubiquity (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: shim-signed (Ubuntu Eoan) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: ubiquity (Ubuntu Bionic) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
On Focal MokManager doesn't come up on reboot, I found mokutil doesn't allow --timeout be used with --import. So either call mokutil --timeout in a second command, or need https://github.com/lcp/mokutil/pull/26/commits/8dc9f57b6fe5ca0d459c9aec2da35ef8f36cf94b# to fix mokutil. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
The change is good and I'd be willing to accept it, but before I do so I wanted to consult the SRU version number first. You have used 1.39.1, but currently 1.39 is present both in eoan and disco. I know disco goes EOL on January next year, but knowing our bad luck, I'm worried that if some emergency upload is required, the version number might be problematic. On the other hand, I guess in this very improbable case we could just use ~ for disco. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
This bug was fixed in the package shim-signed - 1.40 --- shim-signed (1.40) focal; urgency=medium * Pass --timeout -1 to mokutil so that users don't end up with broken systems by missing MokManager on reboot after install. LP: #1856422. * Add a versioned dependency on the mokutil that introduces --timeout. -- Steve Langasek Sat, 14 Dec 2019 20:26:42 -0800 ** Changed in: shim-signed (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Description changed: [SRU Justification] The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds. If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS. So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again. When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot. [Test case] 1. On a system with SecureBoot enabled, install the virtualbox-dkms package. 2. Set a password to use for MOK enrollment. 3. Reboot. 4. Observe that there is a countdown on MokManager. Let the timer expire. 5. Install the shim-signed package from -proposed. 6. Purge the virtualbox-dkms and dkms packages. 7. sudo rm -rf /var/lib/shim-signed. 8. Repeat steps 1 through 3. 9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute). + + [Regression potential] + If a wrong version of mokutil is called with this additional argument and doesn't support it and as a result mokutil fails, this could result in users not having their MOK enrolled who otherwise would have. + + This prevents systems which have a pending MOK enrollment due to dkms + from rebooting unattended back to Ubuntu. If anyone is automating + configuration of dkms/shim, during an install or otherwise, and + expecting the system to reboot back to Ubuntu without intervention at + the console, this will stop working. However, such a system is broken + with respect to dkms modules and SecureBoot anyway; the user should + either not install dkms modules, or plan for handling the MOK request at + the console (serial console or otherwise) on the next reboot. + + If the user does not have console access to the system but does have + power access, they can still bypass MokManager by power cycling the + system, again giving them a system which is booted but does not properly + support the dkms modules under SecureBoot. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Changed in: shim-signed (Ubuntu Bionic) Status: New => In Progress ** Changed in: shim-signed (Ubuntu) Status: New => Fix Committed ** Description changed: - The version of MokManager currently in xenial-updates and later supports - a MokTimeout variable, which can be set with mokutil --timeout, to - control how long MokManager waits for input instead of having a hard- - coded timeout of 10 seconds. + [SRU Justification] + The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds. If the timeout is reached on boot with no input, MokManager clears the MOK requests and passes control back to shim, which falls back to booting the OS. So if you miss seeing MokManager on boot, you have to restart the key enrollment process from the OS and reboot again. When we are invoking mokutil automatically on behalf of the user as part of key generation for dkms modules, we should disable the timeout. We should never leave the user with broken dkms modules on the system because they were looking away from the console at the wrong point in time during a reboot. + + [Test case] + 1. On a system with SecureBoot enabled, install the virtualbox-dkms package. + 2. Set a password to use for MOK enrollment. + 3. Reboot. + 4. Observe that there is a countdown on MokManager. Let the timer expire. + 5. Install the shim-signed package from -proposed. + 6. Purge the virtualbox-dkms and dkms packages. + 7. sudo rm -rf /var/lib/shim-signed. + 8. Repeat steps 1 through 3. + 9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
** Merge proposal linked: https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376815 ** Merge proposal linked: https://code.launchpad.net/~ubuntu-installer/ubiquity/+git/ubiquity/+merge/376816 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856422 Title: always call mokutil with --timeout -1 when enrolling dkms keys To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
