[Bug 1833277] Re: LIvepatch widget should link to secure boot information on error
Matthew Paul Thomas
mpt at canonical.com
Mon Jul 1 11:21:56 UTC 2019
If you aren’t signed in to Ubuntu One, that’s not an “error”, it’s just
a reason that you can’t use Livepatch right now. So we make you sign in
before turning on Livepatch in the first place. And if you become
signed-out after Livepatch is turned on, a dialog should direct you back
to the settings to resolve the situation (though it seems I never
specced the dialog part, oops).
I think the same applies to having Secure Boot on without the Livepatch
key imported. It’s a situation we understand, and there is a way to fix
it, so it needn’t be a grumpy “error”, it’s just a reason that you can’t
use Livepatch right now. (That the moment we discover it happens to be
while applying an update is an implementation detail, it’s not the fault
of that particular update.) We could guide you to import the key, then
restart, before turning on Livepatch in the first place. And if you turn
on Secure Boot — or un-import the key? — after Livepatch is turned on, a
dialog could direct you back to the settings to resolve the situation.
Questions:
1. Is that approach practical? That is, detect Secure Boot and key-
import state whenever you navigate to this settings tab, with a button
to open a PolicyKit dialog for you to import the key then restart. And
an equivalent button in a dialog if a Livepatch update doesn’t apply for
that reason.
2. If it is practical, should I go ahead and design it in more detail,
or is it so complicated + common that we need temporary help text
instead for 19.10?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-notifier in Ubuntu.
https://bugs.launchpad.net/bugs/1833277
Title:
LIvepatch widget should link to secure boot information on error
Status in update-notifier package in Ubuntu:
Triaged
Bug description:
The livepatch widget will show an error[0] if patches cannot be
applied. They cannot be applied on a Secure Boot system unless the
livepatch signing key is imported. Unfortunately this requires a
reboot and some confirmation in the UEFI settings, so it can't be
automated.
`canonical-livepatch help` displays some instructions to fix this:
SECUREBOOT:
If you are using secure boot, you will also need to import the livepatch public keys into your keyring.
This can be done with the following command:
sudo mokutil --import /snap/canonical-livepatch/current/keys/livepatch-kmod.x509
After this enter a password if necessary for MOK, then reboot.
Your BIOS will then guide you through enrolling a new key in MOK.
At this point you will be able to verify the module signatures.
This is probably something worth linking to from that error message.
In general, we might need a page explaining other reasons the kernel
can't be patched, how to get more details from the system log, etc.
c at slate:~$ canonical-livepatch status
client-version: 9.3.0
architecture: x86_64
cpu-model: Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
last-check: 2019-06-18T10:40:35-05:00
boot-time: 2019-06-18T11:05:06-05:00
uptime: 50m59s
status:
- kernel: 4.15.0-51.55-generic
running: true
livepatch:
checkState: check-failed
patchState: apply-failed
version: "52.3"
fixes: |-
* CVE-2019-11477
* CVE-2019-11478
[0] https://drive.google.com/file/d/1cQbtCNE-
ekoPO159SJDwKrjPGpkSuucm/view?usp=sharing
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-notifier/+bug/1833277/+subscriptions
More information about the foundations-bugs
mailing list