[Bug 1797011] Re: [FFE] Update mokutil to fb6250f2
Mathieu Trudel-Lapierre
mathieu.tl at gmail.com
Thu Oct 25 17:25:09 UTC 2018
Verification-done for mokutil 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1
on bionic:
I have verified that timeout, export, and reset / toggle-validation
features in mokutil all work, as a verification for the new features and
smoketesting for the existing features already in use.
When using timeout, export, reset and toggle-validation, mokutil
correctly writes the variables in the firmware that cause the system to
boot next into MokManager to process the requests.
ubuntu at lucky-moth:~$ apt-cache policy mokutil
mokutil:
Installed: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1
Candidate: 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1
Version table:
*** 0.3.0+1538710437.fb6250f-0ubuntu2~18.04.1 501
-1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
100 /var/lib/dpkg/status
0.3.0-0ubuntu5 500
500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages
ubuntu at lucky-moth:~$ sudo mokutil --export --kek
ubuntu at lucky-moth:~$ openssl x509 -inform DER -in KEK-0001.der -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
94:cb:af:49:cd:56:a7:d8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel at lists.ubuntu.com
Validity
Not Before: Jun 20 21:48:46 2018 GMT
Not After : Jun 17 21:48:46 2028 GMT
Subject: CN = Ubuntu OVMF Secure Boot (PK/KEK key), emailAddress = ubuntu-devel at lists.ubuntu.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[...]
** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1797011
Title:
[FFE] Update mokutil to fb6250f2
Status in mokutil package in Ubuntu:
Fix Released
Status in mokutil source package in Bionic:
Fix Committed
Bug description:
[Impact]
All Ubuntu users on UEFI systems
[Test case]
== Disabling timeout ==
1) Run 'sudo mokutil --timeout -1'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager does not show a timeout screen, and instead immediately stops at the menu.
== Changing timeout ==
1) Run 'sudo mokutil --timeout 666'.
2) Run 'sudo mokutil --reset' (or another command that requires user interaction in MokManager)
2) On reboot, validate that MokManager shows a timer of 666 seconds before continuing to reboot, waiting for user input.
== Exporting keys ==
1) Run 'sudo mokutil --export --db'; 'sudo mokutil --export --kek', etc.
2) Validate that mokutil allows exporting the contents of DB, KEK, etc.
[Regression potential]
This affects the userland tool used to communicate tasks to have done by MokManager at early boot. As such, any failure to enroll certificates, to disable validation in shim, to export keys or list keys should be investigated as possible regressions caused by this update.
---
Update mokutil to a git snapshot of fb6250f2.
Changes since cca7219 (current git snapshot in cosmic):
fb6250f Update TODO
af2387a Rename export_moks as export_db_keys
4efbb0e Add support for exporting other keys
f0217e5 add new --mok argument
73c045b set list-enrolled command as default for some arguments
382ba20 Add more info to --sb-state: show when we're in SetupMode or with shim validation disabled
303ee33 Correct help: --set-timeout is really --timeout
385a7dd generate_hash() / generate_pw_hash(): don't use strlen() for strncpy bounds
c8b26c2 Add the type casting to silence the warning
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1797011/+subscriptions
More information about the foundations-bugs
mailing list