[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys
Steve Langasek
steve.langasek at canonical.com
Sun Dec 15 04:34:31 UTC 2019
** Changed in: shim-signed (Ubuntu Bionic)
Status: New => In Progress
** Changed in: shim-signed (Ubuntu)
Status: New => Fix Committed
** Description changed:
- The version of MokManager currently in xenial-updates and later supports
- a MokTimeout variable, which can be set with mokutil --timeout, to
- control how long MokManager waits for input instead of having a hard-
- coded timeout of 10 seconds.
+ [SRU Justification]
+ The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the
MOK requests and passes control back to shim, which falls back to
booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key
enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part
of key generation for dkms modules, we should disable the timeout. We
should never leave the user with broken dkms modules on the system
because they were looking away from the console at the wrong point in
time during a reboot.
+
+ [Test case]
+ 1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
+ 2. Set a password to use for MOK enrollment.
+ 3. Reboot.
+ 4. Observe that there is a countdown on MokManager. Let the timer expire.
+ 5. Install the shim-signed package from -proposed.
+ 6. Purge the virtualbox-dkms and dkms packages.
+ 7. sudo rm -rf /var/lib/shim-signed.
+ 8. Repeat steps 1 through 3.
+ 9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1856422
Title:
always call mokutil with --timeout -1 when enrolling dkms keys
Status in shim-signed package in Ubuntu:
Fix Committed
Status in ubiquity package in Ubuntu:
New
Status in shim-signed source package in Bionic:
In Progress
Status in ubiquity source package in Bionic:
New
Status in shim-signed source package in Eoan:
New
Status in ubiquity source package in Eoan:
Won't Fix
Bug description:
[SRU Justification]
The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the
MOK requests and passes control back to shim, which falls back to
booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key
enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as
part of key generation for dkms modules, we should disable the
timeout. We should never leave the user with broken dkms modules on
the system because they were looking away from the console at the
wrong point in time during a reboot.
[Test case]
1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
2. Set a password to use for MOK enrollment.
3. Reboot.
4. Observe that there is a countdown on MokManager. Let the timer expire.
5. Install the shim-signed package from -proposed.
6. Purge the virtualbox-dkms and dkms packages.
7. sudo rm -rf /var/lib/shim-signed.
8. Repeat steps 1 through 3.
9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions
More information about the foundations-bugs
mailing list