[Bug 1856422] Re: always call mokutil with --timeout -1 when enrolling dkms keys

Steve Langasek steve.langasek at canonical.com
Sun Dec 15 04:34:31 UTC 2019


** Changed in: shim-signed (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: shim-signed (Ubuntu)
       Status: New => Fix Committed

** Description changed:

- The version of MokManager currently in xenial-updates and later supports
- a MokTimeout variable, which can be set with mokutil --timeout, to
- control how long MokManager waits for input instead of having a hard-
- coded timeout of 10 seconds.
+ [SRU Justification]
+ The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.
  
  If the timeout is reached on boot with no input, MokManager clears the
  MOK requests and passes control back to shim, which falls back to
  booting the OS.
  
  So if you miss seeing MokManager on boot, you have to restart the key
  enrollment process from the OS and reboot again.
  
  When we are invoking mokutil automatically on behalf of the user as part
  of key generation for dkms modules, we should disable the timeout.  We
  should never leave the user with broken dkms modules on the system
  because they were looking away from the console at the wrong point in
  time during a reboot.
+ 
+ [Test case]
+ 1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
+ 2. Set a password to use for MOK enrollment.
+ 3. Reboot.
+ 4. Observe that there is a countdown on MokManager.  Let the timer expire.
+ 5. Install the shim-signed package from -proposed.
+ 6. Purge the virtualbox-dkms and dkms packages.
+ 7. sudo rm -rf /var/lib/shim-signed.
+ 8. Repeat steps 1 through 3.
+ 9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1856422

Title:
  always call mokutil with --timeout -1 when enrolling dkms keys

Status in shim-signed package in Ubuntu:
  Fix Committed
Status in ubiquity package in Ubuntu:
  New
Status in shim-signed source package in Bionic:
  In Progress
Status in ubiquity source package in Bionic:
  New
Status in shim-signed source package in Eoan:
  New
Status in ubiquity source package in Eoan:
  Won't Fix

Bug description:
  [SRU Justification]
  The version of MokManager currently in all releases supports a MokTimeout variable, which can be set with mokutil --timeout, to control how long MokManager waits for input instead of having a hard-coded timeout of 10 seconds.

  If the timeout is reached on boot with no input, MokManager clears the
  MOK requests and passes control back to shim, which falls back to
  booting the OS.

  So if you miss seeing MokManager on boot, you have to restart the key
  enrollment process from the OS and reboot again.

  When we are invoking mokutil automatically on behalf of the user as
  part of key generation for dkms modules, we should disable the
  timeout.  We should never leave the user with broken dkms modules on
  the system because they were looking away from the console at the
  wrong point in time during a reboot.

  [Test case]
  1. On a system with SecureBoot enabled, install the virtualbox-dkms package.
  2. Set a password to use for MOK enrollment.
  3. Reboot.
  4. Observe that there is a countdown on MokManager.  Let the timer expire.
  5. Install the shim-signed package from -proposed.
  6. Purge the virtualbox-dkms and dkms packages.
  7. sudo rm -rf /var/lib/shim-signed.
  8. Repeat steps 1 through 3.
  9. Observe that there is no countdown on MokManager, and that it waits indefinitely for input (confirm that this is the case by sitting at the screen for at least 1 minute).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions



More information about the foundations-bugs mailing list