** Description changed: [Rationale] Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules. [Impact] All our users booting in UEFI; on all supported releases. [Test cases] - <FIXME: add more test cases> + https://docs.google.com/spreadsheets/d/1GbyQDb4-sRv7OlIpbISiwVJ2ARHP3AkG2HbPTRk7p-E/edit#gid=0 Test cases here are separated by the components that need to be changed: + + = mokutil = + + Adding a MOK key: + 1) Install system + 2) Run 'mokutil --import <file.der>' to import a signing certificate. + 3) On reboot; validate MOK prompts for new MOK key to add. + + Toggling Secure Boot state: + 1) Install system + 2) mokutil --enable-validation or mokutil --disable-validation + 3) Validate that on reboot MOK prompts to change Secure Boot state. + + Listing keys: + 1) mokutil --list-enrolled + -- should list keys previously enrolled, and Microsoft keys on systems that are configured with them for factory Secure Boot. + + + = efivar = + + libefivar0 gets tested via the use of mokutil. Since it is a library + with no directly usable binaries; we rely on mokutil / sbsigntool / + efibootmgr to do testing. + + 1) Run efibootmgr -v ; verify it lists BootEntries. + 2) Run efibootmgr -c -L ubuntu2 -l \\EFI\\ubuntu\\shimx64.efi ; verify that on reboot; you can get into a boot menu that will list 'ubuntu2', and that picking that boot entry boots into Ubuntu. + + + = shim-signed = + + 1) Install system; upgrade to new packages + 1b) Verify /proc/sys/kernel/secure_boot shows 1. + 1c) Verify /proc/sys/kernel/moksbstate_disabled shows 0. + 2) Run 'sudo update-secureboot-policy'; validate that it prompts to disable Secure Boot if it's not already disabled. + 3) Run 'sudo update-secureboot-policy'; validate you are not prompted again to disable Secure Boot. + 4) Reboot; follow MOK steps to disable Secure Boot. + 4b) Verify /proc/sys/kernel/secure_boot shows 1. + 4c) Verify /proc/sys/kernel/moksbstate_disabled shows 1. + 5) Run 'sudo update-secureboot-policy --enable'; validate you are prompted to enable Secure Boot. + 6) Reboot; follow MOK steps to re-enable Secure Boot. + 6b) Verify /proc/sys/kernel/secure_boot shows 1. + 6c) Verify /proc/sys/kernel/moksbstate_disabled shows 0. + = grub2 = Booting signed kernels: 1) Try to boot a custom kernel 2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature) Prompting on upgrade: 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot' 2) Upgrade to the new grub2 package (you may need to download the updated package beforehand) 3) Validate that grub2 prompts you to disable shim validation. + = dkms = Prompting for dkms on install: 1) Install r8168-dkms 2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts. Prompting for dkms on upgrade 0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.) 1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot' 2) Upgrade to the new dkms package (you may need to download the updated package beforehand) 3) Validate that dkms prompts you to disable shim validation. + = shim = Booting: -> Validate that it allows booting grubx64.efi signed with the old key. -> Validate that it allows booting grubx64.efi signed with the new key. Validation toggle: 0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present; If MokSBStateRT is preset: 1) sudo mokutil --enable-validation && sudo reboot 2) Validate that Mok asks you if you want to enable validation Otherwise: 1) sudo mokutil --disable-validation && sudo reboot 2) Validate that Mok asks you if you want to disable validation Finally: 3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present. 4) Run mokutil again to toggle validation back to its former state. - [Regression Potential] Issues to watch out for: - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_secureboot seen and set to false) - (dkms, on new shim) prompting unnecessarily if validation is already disabled - (grub) not prompting on upgrade ... - (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release. - (grub, on new shim) prompting unecessarily ... - (shim) failing to boot on some firmware that doesn't correctly follow specification - (shim) failing to load a properly-signed grub - (shim) accepting to load a badly-signed grub
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1574727 Title: [SRU] Enforce using signed kernels and modules on UEFI To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
