** Description changed: [Impact] - All Ubuntu users on UEFI systems + Potentially any Ubuntu users on UEFI systems; as mokutil is used to control from the userland the behavior of Secure Boot via shim. + + New features have been introduced in mokutil that we'll want to make use + of in supported releases along with the new shim updates: + + - Better control of timeout for the MokManager prompts + - Exporting PK, KEK, DB, MOK keys to be used to streamline upgrades and avoid failing upgrades when custom-signed kernels are in use. [Test case] == Disabling timeout == 1) Run 'sudo mokutil --timeout -1'. 2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager) 2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu. == Changing timeout == 1) Run 'sudo mokutil --timeout 666'. 2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager) 2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input. == Exporting keys == 1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc. 2) Validate that mokutil allows exporting the contents of DB, KEK, etc. [Regression potential] This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update. --- Update mokutil to a git snapshot of fb6250f2. Changes since cca7219 (current git snapshot in cosmic): fb6250f Update TODO af2387a Rename export_moks as export_db_keys 4efbb0e Add support for exporting other keys f0217e5 add new --mok argument 73c045b set list-enrolled command as default for some arguments 382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled 303ee33 Correct help: --set-timeout is really --timeout 385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds c8b26c2 Add the type casting to silence the warning
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1797011 Title: [FFE] Update mokutil to fb6250f2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
