[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release

** Changed in: shim (Ubuntu Precise)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  Invalid
Status in grub2-signed package in Ubuntu:
  Invalid
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  Won't Fix
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  Won't Fix
Status in shim-signed source package in Precise:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

The Precise Pangolin has reached end of life, so this bug will not be
fixed for that release

** Changed in: dkms (Ubuntu Precise)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  Invalid
Status in grub2-signed package in Ubuntu:
  Invalid
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  Won't Fix
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  Won't Fix
Status in shim-signed source package in Precise:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

The update of shim, grub, mokutil and others to use signed kernels and
modules are mostly done; one further step that needs to happen is to
have grub enforce that kernels are properly signed, and refuse to load
unsigned kernels (rather than falling back from the linuxefi module
which checks signatures, to linux which doesn't).

In the interest of clarity, I'll close the tasks here as Invalid for
what is left as "New", and we'll move this "last step" to bug 1401532
which is clearly about this issue.

** Changed in: grub2-signed (Ubuntu)
   Status: New => Invalid

** Changed in: grub2 (Ubuntu)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  Invalid
Status in grub2-signed package in Ubuntu:
  Invalid
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.18~12.04.1

---
shim-signed (1.18~12.04.1) precise; urgency=medium

  * update-secureboot-policy:  If /proc/sys/kernel/moksbstate_disabled is
present, prefer this unconditionally over MokSBStateRT.  LP: #1604873.

 -- Steve Langasek   Wed, 20 Jul 2016
16:22:42 -0700

** Changed in: shim-signed (Ubuntu Precise)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

Verification-successful for shim-signed on precise --- all that is
required is there: the update-secureboot-policy script does what it
should and is run as expected.

However, it looks like MokManager.efi (which isn't something coming from
shim-signed) isn't installed on the system under /boot/efi/EFI/ubuntu.
This isn't a regression since it does not appear that it was ever
automatically installed. Still, this breaks the workflow of toggling
shim validation, so it must be fixed ASAP.

** Tags removed: verification-needed
** Tags added: verification-done-precise

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Changed in: efivar (Ubuntu Trusty)
   Status: Fix Released => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Invalid
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

efivar for trusty ended up not being needed.

** Changed in: efivar (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Released
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package grub2-signed - 1.66.1

---
grub2-signed (1.66.1) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Thu, 12 May 2016
09:46:16 -0400

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1

---
grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium

  * debian/postinst.in: replace setup_mok_validation with a call to
update-secureboot-policy, a script shipped by shim-signed.
(LP: #1574727)
  * debian/control: drop Depends on mokutil, we're not calling it directly.

 -- Mathieu Trudel-Lapierre   Fri, 20 May 2016
15:04:00 -0400

** Changed in: grub2 (Ubuntu Xenial)
   Status: In Progress => Fix Released

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Released
Status in grub2-signed source package in Xenial:
  Fix Released
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.17~16.04.1

---
shim-signed (1.17~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.17 to 16.04. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Thu, 07 Jul 2016
20:17:24 -0400

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu6.2

---
dkms (2.2.0.3-2ubuntu6.2) wily; urgency=medium

  * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy,
which has the benefit of being handled via triggers, to allow users to
toggle validation in shim. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Fri, 20 May 2016
14:46:26 -0400

** Changed in: shim-signed (Ubuntu Wily)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.17~15.10.1

---
shim-signed (1.17~15.10.1) wily; urgency=medium

  * Backport shim-signed 1.17 to 15.10. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Thu, 07 Jul 2016
20:17:24 -0400

** Changed in: shim-signed (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~15.10.1

---
mokutil (0.3.0-0ubuntu3~15.10.1) wily; urgency=medium

  * Backport mokutil to wily. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Tue, 26 Apr 2016
11:04:30 -0400

** Changed in: dkms (Ubuntu Wily)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.6

---
dkms (2.2.0.3-1.1ubuntu5.14.04.6) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy,
which has the benefit of being handled via triggers, to allow users to
toggle validation in shim. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Fri, 20 May 2016
14:46:26 -0400

** Changed in: shim-signed (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package shim-signed - 1.17~14.04.1

---
shim-signed (1.17~14.04.1) trusty; urgency=medium

  * Backport shim-signed 1.17 to 14.04. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Thu, 07 Jul 2016
20:17:24 -0400

** Changed in: mokutil (Ubuntu Wily)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~14.04.1

---
mokutil (0.3.0-0ubuntu3~14.04.1) trusty; urgency=medium

  * Backport mokutil to trusty. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Tue, 26 Apr 2016
10:59:59 -0400

** Changed in: mokutil (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** Changed in: dkms (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Released
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Released
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Released
Status in dkms source package in Wily:
  Fix Released
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Released
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Released

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

Verification done for XENIAL: grub2-signed, dkms, shim-signed all found
to be working as expected. Test cases pass. As previously discussed, the
grub2-signed update is not especially useful in itself and does need to
drop the calls to mokutil, but will need a further SRU to remove calling
update-secureboot-policy later.

** Tags added: verification-done-wily

** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

Verification-done for TRUSTY: efivar, mokutil, dkms, shim-signed all
found to be working at expected. Test cases pass.

** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

Verification-done for WILY: mokutil, dkms, shim-signed all found to be
working as expected. Test cases pass.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.17~16.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

There are about 10 packages being SRUed here, and no information given
in the preceding tag change about what testing has been done.  So I have
my doubts that this tag really means all the SRUs have been verified for
all releases :)  Resetting.

** Tags removed: verification-done
** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[LocutusOfBorg]

** Tags removed: verification-needed
** Tags added: verification-done

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Tags removed: verification-done-precise

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package efivar - 0.21-1~12.04.1

---
efivar (0.21-1~12.04.1) precise; urgency=medium

  * Backport efivar to 12.04; to support mokutil. (LP: #1574727)
- debian/patches/port-nvme-support.patch: define the NVME ID IOCTL (only
  required to successfully build on precise).
- debian/patches/port-char16_t-support.patch: provide a char16_t type
  without depending on new unicode in C11, gcc 4.4 already has the
  CHAR16_TYPE we need to provide the feature.
- debian/patches/precise-gcc-options.patch: Drop -std=gnu11 to -std=gnu99,
  and -Wmaybe-uninitialized completely.
  * debian/control: remove spurious Breaks for efibootmgr; the efibootmgr in
12.04 does not have a runtime dependency on libefivar0 so no Breaks is
needed.

 -- Mathieu Trudel-Lapierre   Mon, 02 Nov 2015
16:08:16 -0600

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~12.04.1

---
mokutil (0.3.0-0ubuntu3~12.04.1) precise; urgency=medium

  * Backport to precise: (LP: #1574727)
- debian/patches/precise-gcc-options.patch: drop to building against the
  gnu99 standard, rather than gnu11.

 -- Mathieu Trudel-Lapierre   Tue, 26 Apr 2016
10:54:07 -0400

** Changed in: mokutil (Ubuntu Precise)
   Status: Fix Committed => Fix Released

** Changed in: efivar (Ubuntu Precise)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Released
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Released
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Martin Pitt]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.16~16.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Changed in: grub2-signed (Ubuntu Precise)
   Status: New => Invalid

** Changed in: grub2 (Ubuntu Precise)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  Invalid
Status in grub2-signed source package in Precise:
  Invalid
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Changed in: grub2-signed (Ubuntu Trusty)
   Status: Fix Committed => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Invalid
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
  6) Reboot; follow MOK steps to re-enable Secure Boot.
  6b) Verify /proc/sys/kernel/secure_boot shows 1.
  6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.

  
  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

xenial still needs an SRU to drop the previous setup_mok_validation code
(but not add update-secureboot-policy).

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: Fix Committed => In Progress

** Changed in: grub2 (Ubuntu Wily)
   Status: New => Invalid

** Changed in: grub2 (Ubuntu Xenial)
   Status: Fix Committed => In Progress

** Changed in: grub2 (Ubuntu Trusty)
   Status: Fix Committed => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Invalid
Status in grub2-signed source package in Trusty:
  Fix Committed
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  Invalid
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  In Progress
Status in grub2-signed source package in Xenial:
  In Progress
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify /proc/sys/kernel/secure_boot shows 1.
  1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
  2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
  3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
  4) Reboot; follow MOK steps to disable Secure Boot.
  4b) Verify /proc/sys/kernel/secure_boot shows 1.
  4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
  5) Run 'sudo 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

Having reviewed and discussed the changes to grub in the SRU queue, I
have concluded that the grub2 SRU is both insufficient (because upgrade
ordering does not ensure that the update-secureboot-policy command is
available when grub is upgraded) and unnecessary (because shim-signed
should apply the policy itself, so grub doesn't need to).

I am rejecting / removing the grub2 and grub2-signed SRUs for this.
shim-signed needs a reupload, so that it directly calls update-
secureboot-policy in postinst on upgrade - not just when triggered by
another package.

Later, when we are changing grub to refuse to boot kernels whose
signature doesn't verify, we will need to ensure that an appropriate
version of shim-signed is installed first. But that should be done with
a Breaks against older versions of shim, not with conditional postinst
logic.

** Changed in: grub2-signed (Ubuntu Wily)
   Status: New => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Fix Committed
Status in grub2-signed source package in Trusty:
  Fix Committed
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  Invalid
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.

  
  = shim-signed =

  1) Install system; upgrade to new packages
  1b) Verify 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Martin Pitt]

Hello Mathieu, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.10 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Fix Committed
Status in grub2-signed source package in Trusty:
  Fix Committed
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Andy Whitcroft]

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/grub2-signed/1.34.11 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Tags removed: verification-failed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Fix Committed
Status in grub2-signed source package in Trusty:
  Fix Committed
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Martin Pitt]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.15~14.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Trusty)
   Status: In Progress => Fix Committed

** Changed in: dkms (Ubuntu Trusty)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  Fix Committed
Status in dkms source package in Trusty:
  Fix Committed
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  Fix Committed
Status in grub2-signed source package in Trusty:
  Fix Committed
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  Fix Committed
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into wily-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.15~15.10.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Wily)
   Status: In Progress => Fix Committed

** Changed in: dkms (Ubuntu Wily)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  In Progress
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  In Progress
Status in dkms source package in Wily:
  Fix Committed
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0

  Test cases here are separated by the components that need to be
  changed:

  = mokutil =

  Adding a MOK key:
  1) Install system
  2) Run 'mokutil --import ' to import a signing certificate.
  3) On reboot; validate MOK prompts for new MOK key to add.

  Toggling Secure Boot state:
  1) Install system
  2) mokutil --enable-validationormokutil --disable-validation
  3) Validate that on reboot MOK prompts to change Secure Boot state.

  Listing keys:
  1) mokutil --list-enrolled
  -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.

  
  = efivar =

  libefivar0 gets tested via the use of mokutil. Since it is a library
  with no directly usable binaries; we rely on mokutil / sbsigntool /
  efibootmgr to do testing.

  1) Run efibootmgr -v ; verify it lists BootEntries.
  2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Description changed:

  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.
  
  [Impact]
  All our users booting in UEFI; on all supported releases.
  
  [Test cases]
- 
+ 
https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0
  
  Test cases here are separated by the components that need to be changed:
+ 
+ = mokutil =
+ 
+ Adding a MOK key:
+ 1) Install system
+ 2) Run 'mokutil --import ' to import a signing certificate.
+ 3) On reboot; validate MOK prompts for new MOK key to add.
+ 
+ Toggling Secure Boot state:
+ 1) Install system
+ 2) mokutil --enable-validationormokutil --disable-validation
+ 3) Validate that on reboot MOK prompts to change Secure Boot state.
+ 
+ Listing keys:
+ 1) mokutil --list-enrolled
+ -- should list keys previously enrolled, and Microsoft keys on systems that 
are configured with them for factory Secure Boot.
+ 
+ 
+ = efivar =
+ 
+ libefivar0 gets tested via the use of mokutil. Since it is a library
+ with no directly usable binaries; we rely on mokutil / sbsigntool /
+ efibootmgr to do testing.
+ 
+ 1) Run efibootmgr -v ; verify it lists BootEntries.
+ 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that 
on reboot; you can get into a boot menu that will list 'ubuntu2', and that 
picking that boot entry boots into Ubuntu.
+ 
+ 
+ = shim-signed =
+ 
+ 1) Install system; upgrade to new packages
+ 1b) Verify /proc/sys/kernel/secure_boot shows 1.
+ 1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
+ 2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable 
Secure Boot if it's not already disabled.
+ 3) Run 'sudo update-secureboot-policy'; validate you are not prompted again 
to disable Secure Boot.
+ 4) Reboot; follow MOK steps to disable Secure Boot.
+ 4b) Verify /proc/sys/kernel/secure_boot shows 1.
+ 4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1.
+ 5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to 
enable Secure Boot.
+ 6) Reboot; follow MOK steps to re-enable Secure Boot.
+ 6b) Verify /proc/sys/kernel/secure_boot shows 1.
+ 6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0.
+ 
  
  = grub2 =
  
  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)
  
  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.
  
+ 
  = dkms =
  
  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.
  
  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.
+ 
  
  = shim =
  
  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.
  
  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.
  
- 
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow 
specification
  - (shim) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

precise:
- verified efivar & sbsigntool
- verified mokutil

Verification passes for these SRUs.

** Tags added: verification-done-precise

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  In Progress
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  In Progress
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  In Progress
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Changed in: shim-signed (Ubuntu Wily)
   Status: New => In Progress

** Changed in: shim-signed (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: shim-signed (Ubuntu Precise)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  In Progress
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  In Progress
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  In Progress
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Martin Pitt]

Meh, I meant to release grub2{,-signed} for trusty, fat-fingered this. I
removed the copy into -updates, as this is premature.

** Changed in: grub2 (Ubuntu Xenial)
   Status: Fix Released => Fix Committed

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: Fix Released => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package grub2-signed - 1.66.1

---
grub2-signed (1.66.1) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727)

 -- Mathieu Trudel-Lapierre   Thu, 12 May 2016
09:46:16 -0400

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Launchpad Bug Tracker]

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1

---
grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium

  * debian/postinst.in: replace setup_mok_validation with a call to
update-secureboot-policy, a script shipped by shim-signed.
(LP: #1574727)
  * debian/control: drop Depends on mokutil, we're not calling it directly.

 -- Mathieu Trudel-Lapierre   Fri, 20 May 2016
15:04:00 -0400

** Changed in: grub2 (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** Changed in: grub2-signed (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Martin Pitt]

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: grub2 (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  Fix Committed
Status in grub2-signed source package in Xenial:
  Fix Committed
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Chris J Arges]

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.14~16.04.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Xenial)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  Fix Committed

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Changed in: efivar (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

Accepted efivar into precise-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/efivar/0.21-1~12.04.1
in a few hours, and then in the -proposed repository.

** Changed in: efivar (Ubuntu Precise)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  Fix Committed
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  In Progress
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

This efibootmgr upload to precise and trusty is not required; it was
only included because of a Breaks: from libefivar0 to older versions of
efibootmgr, but in 14.04 and older, efibootmgr does not depend on
libefivar0 at all so there is no runtime incompatibility.

The efivar in trusty should be adjusted to drop the versioned Breaks: on
efibootmgr; and I will remove the efibootmgr uploads from trusty-
proposed and precise-proposed.

** Changed in: efibootmgr (Ubuntu Precise)
   Status: Fix Committed => Invalid

** Changed in: efibootmgr (Ubuntu Trusty)
   Status: Fix Committed => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  In Progress
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

New upload required for efivar in trusty, to drop the spurious Breaks:.

** Changed in: efivar (Ubuntu Trusty)
   Status: Fix Committed => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Invalid
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Invalid
Status in efivar source package in Trusty:
  In Progress
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

Accepted mokutil into precise-proposed.  The package will build now and
be available at
https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~12.04.1 in a
few hours, and then in the -proposed repository.

** Changed in: mokutil (Ubuntu Precise)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Fix Committed
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  Fix Committed
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Fix Committed
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Chris J Arges]

Hello Mathieu, or anyone else affected,

Accepted efibootmgr into precise-proposed. The package will build now
and be available at
https://launchpad.net/ubuntu/+source/efibootmgr/0.12-4ubuntu1~12.04.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: efibootmgr (Ubuntu Precise)
   Status: New => Fix Committed

** Changed in: efibootmgr (Ubuntu Trusty)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  Fix Committed
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  Fix Committed
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Also affects: efibootmgr (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: efibootmgr (Ubuntu)
   Status: New => Fix Released

** Changed in: efibootmgr (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: efibootmgr (Ubuntu Wily)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efibootmgr package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efibootmgr source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efibootmgr source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efibootmgr source package in Wily:
  Fix Released
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efibootmgr source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Andy Whitcroft]

For completeness the kernel side of this is being tracked under bug
#1566221.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Changed in: shim-signed (Ubuntu)
   Importance: Undecided => High

** Changed in: shim-signed (Ubuntu)
   Status: New => Fix Released

** Changed in: shim-signed (Ubuntu)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  Fix Released
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Also affects: shim-signed (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  New
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in shim-signed source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in shim-signed source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in shim-signed source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new shim) 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Chris J Arges]

Hello Mathieu, or anyone else affected,

Accepted mokutil into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~14.04.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to
enable and use -proposed.  Your feedback will aid us getting this update
out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: mokutil (Ubuntu Trusty)
   Status: New => Fix Committed

** Tags added: verification-needed

** Changed in: mokutil (Ubuntu Wily)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  Fix Committed
Status in shim source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  Fix Committed
Status in shim source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Steve Langasek]

** Changed in: efivar (Ubuntu Trusty)
   Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  Fix Committed
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  New
Status in shim source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  New
Status in shim source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in grub2-signed source package in Xenial:
  New
Status in mokutil source package in Xenial:
  Fix Released
Status in shim source package in Xenial:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow 
specification
  - (shim) failing to load a properly-signed grub
  - (shim) accepting to load a badly-signed grub

To manage notifications about this bug go to:

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

** Also affects: efivar (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: grub2 (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: dkms (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: shim (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: grub2-signed (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: mokutil (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: efivar (Ubuntu Precise)
   Importance: Undecided
   Status: New

** Also affects: grub2 (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: dkms (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: shim (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: grub2-signed (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: mokutil (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: efivar (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: grub2 (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: dkms (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: shim (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: grub2-signed (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: mokutil (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: efivar (Ubuntu Yakkety)
   Importance: Undecided
   Status: New

** Also affects: grub2 (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: dkms (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: shim (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: grub2-signed (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: mokutil (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: efivar (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Also affects: grub2 (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: dkms (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: shim (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: grub2-signed (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: mokutil (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: efivar (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Changed in: efivar (Ubuntu Wily)
   Status: New => Fix Released

** Changed in: efivar (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: efivar (Ubuntu Yakkety)
   Status: New => Fix Released

** Changed in: dkms (Ubuntu Xenial)
   Status: New => Fix Released

** No longer affects: dkms (Ubuntu Yakkety)

** No longer affects: efivar (Ubuntu Yakkety)

** No longer affects: grub2 (Ubuntu Yakkety)

** No longer affects: grub2-signed (Ubuntu Yakkety)

** No longer affects: mokutil (Ubuntu Yakkety)

** No longer affects: shim (Ubuntu Yakkety)

** Changed in: mokutil (Ubuntu Xenial)
   Status: New => Fix Released

** Changed in: mokutil (Ubuntu)
   Status: New => Fix Released

** Changed in: dkms (Ubuntu)
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  Fix Released
Status in efivar package in Ubuntu:
  Fix Released
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  Fix Released
Status in shim package in Ubuntu:
  New
Status in dkms source package in Precise:
  New
Status in efivar source package in Precise:
  New
Status in grub2 source package in Precise:
  New
Status in grub2-signed source package in Precise:
  New
Status in mokutil source package in Precise:
  New
Status in shim source package in Precise:
  New
Status in dkms source package in Trusty:
  New
Status in efivar source package in Trusty:
  New
Status in grub2 source package in Trusty:
  New
Status in grub2-signed source package in Trusty:
  New
Status in mokutil source package in Trusty:
  New
Status in shim source package in Trusty:
  New
Status in dkms source package in Wily:
  New
Status in efivar source package in Wily:
  Fix Released
Status in grub2 source package in Wily:
  New
Status in grub2-signed source package in Wily:
  New
Status in mokutil source package in Wily:
  New
Status in shim source package in Wily:
  New
Status in dkms source package in Xenial:
  Fix Released
Status in efivar source package in Xenial:
  Fix Released
Status in grub2 source package in Xenial:
  New
Status in 

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

That should have read, any version of mokutil below 0.3.0-0ubuntu3~ will
not work correctly with lts kernels on the LTS releases.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  New
Status in efivar package in Ubuntu:
  New
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  New
Status in shim package in Ubuntu:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow 
specification
  - (shim) failing to load a properly-signed grub
  - (shim) accepting to load a badly-signed grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

[Mathieu Trudel-Lapierre]

This also needs a mokutil update, as the version in >=14.04 will not
work correctly with *-lts* kernels.

** Also affects: mokutil (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  New
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in mokutil package in Ubuntu:
  New
Status in shim package in Ubuntu:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible 
of the boot process happens with signed binaries; from our shim (the part that 
is loaded by the EFI firmware itself), down to grub2, the kernel, and even 
loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error 
message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated 
package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through 
the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, 
ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil 
--enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated 
package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is 
present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify 
whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation 
is currently enabled (provided debconf does not have dkms/disable_secureboot 
seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already 
disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; 
without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow 
specification
  - (shim) failing to load a properly-signed grub
  - (shim) accepting to load a badly-signed grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp