[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: shim (Ubuntu Precise) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: dkms (Ubuntu Precise) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

The update of shim, grub, mokutil and others to use signed kernels and modules are mostly done; one further step that needs to happen is to have grub enforce that kernels are properly signed, and refuse to load unsigned kernels (rather than falling back from the linuxefi module which checks

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package shim-signed - 1.18~12.04.1 --- shim-signed (1.18~12.04.1) precise; urgency=medium * update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is present, prefer this unconditionally over MokSBStateRT. LP: #1604873. -- Steve Langasek

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Verification-successful for shim-signed on precise --- all that is required is there: the update-secureboot-policy script does what it should and is run as expected. However, it looks like MokManager.efi (which isn't something coming from shim-signed) isn't installed on the system under

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: efivar (Ubuntu Trusty) Status: Fix Released => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

efivar for trusty ended up not being needed. ** Changed in: efivar (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU]

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package grub2-signed - 1.66.1 --- grub2-signed (1.66.1) xenial; urgency=medium * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727) -- Mathieu Trudel-Lapierre Thu, 12 May 2016 09:46:16 -0400 -- You received this bug

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1 --- grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium * debian/postinst.in: replace setup_mok_validation with a call to update-secureboot-policy, a script shipped by shim-signed. (LP: #1574727) *

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package shim-signed - 1.17~16.04.1 --- shim-signed (1.17~16.04.1) xenial; urgency=medium * Backport shim-signed 1.17 to 16.04. (LP: #1574727) -- Mathieu Trudel-Lapierre Thu, 07 Jul 2016 20:17:24 -0400 -- You received this bug

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package shim-signed - 1.17~14.04.1 --- shim-signed (1.17~14.04.1) trusty; urgency=medium * Backport shim-signed 1.17 to 14.04. (LP: #1574727) -- Mathieu Trudel-Lapierre Thu, 07 Jul 2016 20:17:24 -0400 ** Changed in: mokutil

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package shim-signed - 1.17~15.10.1 --- shim-signed (1.17~15.10.1) wily; urgency=medium * Backport shim-signed 1.17 to 15.10. (LP: #1574727) -- Mathieu Trudel-Lapierre Thu, 07 Jul 2016 20:17:24 -0400 ** Changed in: shim-signed

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu6.2 --- dkms (2.2.0.3-2ubuntu6.2) wily; urgency=medium * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy, which has the benefit of being handled via triggers, to allow users to toggle

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.6 --- dkms (2.2.0.3-1.1ubuntu5.14.04.6) trusty; urgency=medium * debian/patches/shim_secureboot_support.patch: use update-secureboot-policy, which has the benefit of being handled via triggers, to allow users to

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~15.10.1 --- mokutil (0.3.0-0ubuntu3~15.10.1) wily; urgency=medium * Backport mokutil to wily. (LP: #1574727) -- Mathieu Trudel-Lapierre Tue, 26 Apr 2016 11:04:30 -0400 ** Changed in: dkms (Ubuntu

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~14.04.1 --- mokutil (0.3.0-0ubuntu3~14.04.1) trusty; urgency=medium * Backport mokutil to trusty. (LP: #1574727) -- Mathieu Trudel-Lapierre Tue, 26 Apr 2016 10:59:59 -0400 ** Changed in: mokutil

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Verification done for XENIAL: grub2-signed, dkms, shim-signed all found to be working as expected. Test cases pass. As previously discussed, the grub2-signed update is not especially useful in itself and does need to drop the calls to mokutil, but will need a further SRU to remove calling

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Verification-done for WILY: mokutil, dkms, shim-signed all found to be working as expected. Test cases pass. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Verification-done for TRUSTY: efivar, mokutil, dkms, shim-signed all found to be working at expected. Test cases pass. ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.17~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

There are about 10 packages being SRUed here, and no information given in the preceding tag change about what testing has been done. So I have my doubts that this tag really means all the SRUs have been verified for all releases :) Resetting. ** Tags removed: verification-done ** Tags added:

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Tags removed: verification-needed ** Tags added: verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To manage

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Tags removed: verification-done-precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To manage notifications about this

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package efivar - 0.21-1~12.04.1 --- efivar (0.21-1~12.04.1) precise; urgency=medium * Backport efivar to 12.04; to support mokutil. (LP: #1574727) - debian/patches/port-nvme-support.patch: define the NVME ID IOCTL (only required to successfully

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package mokutil - 0.3.0-0ubuntu3~12.04.1 --- mokutil (0.3.0-0ubuntu3~12.04.1) precise; urgency=medium * Backport to precise: (LP: #1574727) - debian/patches/precise-gcc-options.patch: drop to building against the gnu99 standard, rather than

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Tags removed: verification-failed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To manage notifications about this bug go

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.16~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: grub2-signed (Ubuntu Precise) Status: New => Invalid ** Changed in: grub2 (Ubuntu Precise) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: grub2-signed (Ubuntu Trusty) Status: Fix Committed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

xenial still needs an SRU to drop the previous setup_mok_validation code (but not add update-secureboot-policy). ** Changed in: grub2-signed (Ubuntu Xenial) Status: Fix Committed => In Progress ** Changed in: grub2 (Ubuntu Wily) Status: New => Invalid ** Changed in: grub2 (Ubuntu

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Having reviewed and discussed the changes to grub in the SRU queue, I have concluded that the grub2 SRU is both insufficient (because upgrade ordering does not ensure that the update-secureboot-policy command is available when grub is upgraded) and unnecessary (because shim-signed should apply the

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.10 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.11 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.15~14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted shim-signed into wily-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.15~15.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Description changed: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

precise: - verified efivar & sbsigntool - verified mokutil Verification passes for these SRUs. ** Tags added: verification-done-precise -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title:

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: shim-signed (Ubuntu Wily) Status: New => In Progress ** Changed in: shim-signed (Ubuntu Trusty) Status: New => In Progress ** Changed in: shim-signed (Ubuntu Precise) Status: New => In Progress -- You received this bug notification because you are a member

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Meh, I meant to release grub2{,-signed} for trusty, fat-fingered this. I removed the copy into -updates, as this is premature. ** Changed in: grub2 (Ubuntu Xenial) Status: Fix Released => Fix Committed ** Changed in: grub2-signed (Ubuntu Xenial) Status: Fix Released => Fix

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package grub2-signed - 1.66.1 --- grub2-signed (1.66.1) xenial; urgency=medium * Rebuild against grub2 2.02~beta2-36ubuntu3.1. (LP: #1574727) -- Mathieu Trudel-Lapierre Thu, 12 May 2016 09:46:16 -0400 -- You received this bug

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.1 --- grub2 (2.02~beta2-36ubuntu3.1) xenial; urgency=medium * debian/postinst.in: replace setup_mok_validation with a call to update-secureboot-policy, a script shipped by shim-signed. (LP: #1574727) *

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim- signed/1.14~16.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: efivar (Ubuntu Trusty) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Accepted efivar into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efivar/0.21-1~12.04.1 in a few hours, and then in the -proposed repository. ** Changed in: efivar (Ubuntu Precise) Status: New => Fix Committed -- You received this

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

New upload required for efivar in trusty, to drop the spurious Breaks:. ** Changed in: efivar (Ubuntu Trusty) Status: Fix Committed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This efibootmgr upload to precise and trusty is not required; it was only included because of a Breaks: from libefivar0 to older versions of efibootmgr, but in 14.04 and older, efibootmgr does not depend on libefivar0 at all so there is no runtime incompatibility. The efivar in trusty should be

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Accepted mokutil into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~12.04.1 in a few hours, and then in the -proposed repository. ** Changed in: mokutil (Ubuntu Precise) Status: New => Fix Committed -- You

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted efibootmgr into precise-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/efibootmgr/0.12-4ubuntu1~12.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Also affects: efibootmgr (Ubuntu) Importance: Undecided Status: New ** Changed in: efibootmgr (Ubuntu) Status: New => Fix Released ** Changed in: efibootmgr (Ubuntu Xenial) Status: New => Fix Released ** Changed in: efibootmgr (Ubuntu Wily) Status: New => Fix

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

For completeness the kernel side of this is being tracked under bug #1566221. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: shim-signed (Ubuntu) Importance: Undecided => High ** Changed in: shim-signed (Ubuntu) Status: New => Fix Released ** Changed in: shim-signed (Ubuntu) Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox) -- You received this bug notification because you

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Also affects: shim-signed (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

Hello Mathieu, or anyone else affected, Accepted mokutil into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.3.0-0ubuntu3~14.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Changed in: efivar (Ubuntu Trusty) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

** Also affects: efivar (Ubuntu) Importance: Undecided Status: New ** Also affects: grub2 (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: dkms (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: shim (Ubuntu Precise)

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

That should have read, any version of mokutil below 0.3.0-0ubuntu3~ will not work correctly with lts kernels on the LTS releases. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU]

[Bug 1574727] Re: [SRU] Enforce using signed kernels and modules on UEFI

This also needs a mokutil update, as the version in >=14.04 will not work correctly with *-lts* kernels. ** Also affects: mokutil (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.