Ubuntu
mokutil package

backport needed to enable users to reset SBAT level

  1. Jammy (22.04)
  2. Bug #2015664
Bug #2015664 reported by Steve Langasek
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mokutil (Ubuntu)
Bionic
Fix Released
High
Steve Langasek
Focal
Fix Released
High
Unassigned
Jammy
Fix Released
High
Unassigned

Bug Description

[Impact]

After installing the most recent point releases of Ubuntu (Ubuntu 20.04.6, 22.04.2, or 23.04 beta), if the user has SecureBoot enabled (which is definitely recommended on UEFI systems) they will subsequently be unable to boot older OS install media which has not bumped its SBAT level since December 2022.

While this is the correct default security policy as explained at https://discourse.ubuntu.com/t/sbat-revocations-boot-process/34996, users also need to be able to have control over their SBAT level so that they have the choice to downgrade the security level and boot other install media (up to and including older ESM-supported Ubuntu releases for which no updated media will be issued).

In order to clear the SBAT level recorded in firmware, we need an updated version of mokutil corresponding to the shim which has been backported in these releases.

[Test Plan]

Preparation:

* Create a directory for testing:
 $ mkdir test-lp2015664
 $ cd test-lp2015664

* Install ovmf and qemu-system-x86 packages:
 $ sudo apt install ovmf qemu-system-x86 -y

* Download 22.04.2, 22.04.1, and 20.04.5 ISOs:
 $ wget https://releases.ubuntu.com/jammy/ubuntu-22.04.2-desktop-amd64.iso
 $ wget https://old-releases.ubuntu.com/releases/22.04.1/ubuntu-22.04.1-desktop-amd64.iso
 $ wget https://old-releases.ubuntu.com/releases/20.04.5/ubuntu-20.04.5-desktop-amd64.iso

* Download the secureboot-vm script:
 $ wget https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/2015664/+attachment/5668662/+files/secureboot-vm
 $ chmod +x secureboot-vm

Test for Jammy:

* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso

* Attempt to boot the 22.04.1 ISO, and observe the secureboot violation:
 $ ./secureboot-vm -cdrom ubuntu-22.04.1-desktop-amd64.iso

* Disable secureboot so that the 22.04.1 ISO can boot (press ESC when the VM is starting to access the boot menu):
 $ ./secureboot-vm -cdrom ubuntu-22.04.1-desktop-amd64.iso -boot menu=on

* After disabling secureboot, the 22.04.1 ISO should boot. Select "Try Ubuntu", and install mokutil from jammy-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
 $ sudo mokutil --set-verbosity true
 $ sudo mokutil --set-sbat-policy delete
 $ poweroff

* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:jammy-boot.log
 $ grep -I sbat.c jammy-boot.log
 sbat.c:477:set_sbat_uefi_variable() SbatLevel variable is 25 bytes, attributes are 0x00000003
 sbat.c:479:set_sbat_uefi_variable() Deleting SbatLevel variable.
 sbat.c:512:set_sbat_uefi_variable() SbatLevel variable initialization succeeded

* Finally, re-enable secureboot and then boot into 22.04.1:
 $ ./secureboot-vm -cdrom ubuntu-22.04.1-desktop-amd64.iso -boot menu=on

* Select "Try Ubuntu", and once inside the live environment, double check that secureboot is enabled:
 $ mokutil --sb-state
 SecureBoot enabled

Test for Focal:

NOTE: I have not actually been able to reproduce a secureboot violation when booting focal media, so this test simply verifies that mokutil in focal can use the --set-sbat-policy option successfully.

* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso

* Disable secureboot and boot the 20.04.5 ISO (press ESC when the VM is starting to access the boot menu):
 $ ./secureboot-vm -cdrom ubuntu-20.04.5-desktop-amd64.iso -boot menu=on

* Select "Try Ubuntu", and install mokutil from focal-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
 $ sudo mokutil --set-verbosity true
 $ sudo mokutil --set-sbat-policy delete
 $ poweroff

* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:focal-boot.log
 $ grep -I sbat.c focal-boot.log
 sbat.c:477:set_sbat_uefi_variable() SbatLevel variable is 25 bytes, attributes are 0x00000003
 sbat.c:479:set_sbat_uefi_variable() Deleting SbatLevel variable.
 sbat.c:512:set_sbat_uefi_variable() SbatLevel variable initialization succeeded

Test for Bionic (same as Jammy but with 18.04.6 ISO):

* Boot 22.04.2 ISO to grub, and then poweroff the VM. This boots the latest shim, which revokes the grub,1 SBAT level:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso

* Attempt to boot the 18.04.6 ISO, and observe the secureboot violation:
 $ ./secureboot-vm -cdrom ubuntu-18.04.6-desktop-amd64.iso

* Disable secureboot so that the 18.04.6 ISO can boot (press ESC when the VM is starting to access the boot menu):
 $ ./secureboot-vm -cdrom ubuntu-18.04.6-desktop-amd64.iso -boot menu=on

* After disabling secureboot, the 18.04.6 ISO should boot. Select "Try Ubuntu", and install mokutil from bionic-proposed. Then, inside the live environment, set the verbosity level and instruct shim to delete SBAT variable:
 $ sudo mokutil --set-verbosity true
 $ sudo mokutil --set-sbat-policy delete
 $ poweroff

* Boot 22.04.2 to grub again, which will delete the SBAT variable. Save the serial output to verify that the SBAT variable is deleted:
 $ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:bionic-boot.log
 $ grep -I sbat.c bionic-boot.log
 sbat.c:477:set_sbat_uefi_variable() SbatLevel variable is 25 bytes, attributes are 0x00000003
 sbat.c:479:set_sbat_uefi_variable() Deleting SbatLevel variable.
 sbat.c:512:set_sbat_uefi_variable() SbatLevel variable initialization succeeded

* Finally, re-enable secureboot and then boot into 18.04.6:
 $ ./secureboot-vm -cdrom ubuntu-18.04.6-desktop-amd64.iso -boot menu=on

* Select "Try Ubuntu", and once inside the live environment, double check that secureboot is enabled:
 $ mokutil --sb-state
 SecureBoot enabled

[Where problems could occur]

Since this SRU would backport an entire version to Jammy and Kinetic, I cannot practically examine all of the code changes to assess which features of mokutil have changed. The package only ships the mokutil binary and some documentation, so the regression potential is limited to the tool itself, which has a very limited and specific purpose.

[Other Info]

The entire purpose of the mokutil tool is to manage firmware entries that are read by MokManager, which is part of shim. Hence, it makes sense to keep shim and mokutil in lockstep, and this SRU could be considered HWE enablement. In particular, users need to be able to clear the SBAT level if needed to boot older install media.

See original description

Related branches

~enr0n/ubuntu/+source/mokutil:lp2015664-bionic
Steve Langasek (community): Approve
Diff: 4122 lines (+2032/-979)
23 files modified
configure.ac (+2/-1)
data/mokutil (+9/-1)
debian/changelog (+52/-0)
debian/compat (+1/-1)
debian/control (+7/-5)
debian/patches/manually-define-LIBKEYUTILS-make-vars.patch (+21/-0)
debian/patches/series (+1/-1)
debian/rules (+1/-5)
dev/null (+0/-22)
man/mokutil.1 (+50/-20)
src/Makefile.am (+13/-1)
src/efi_hash.c (+183/-0)
src/efi_hash.h (+48/-0)
src/efi_x509.c (+242/-0)
src/efi_x509.h (+43/-0)
src/keyring.c (+111/-0)
src/keyring.h (+37/-0)
src/mokutil.c (+619/-911)
src/mokutil.h (+66/-0)
src/password-crypt.c (+7/-6)
src/password-crypt.h (+5/-5)
src/util.c (+456/-0)
src/util.h (+58/-0)
Steve Langasek (vorlon)
Changed in mokutil (Ubuntu):
importance: Undecided → High
tags: added: fr-4055
Changed in mokutil (Ubuntu Focal):
importance: Undecided → High
Changed in mokutil (Ubuntu Jammy):
importance: Undecided → High
Revision history for this message
Nick Rosbrook (enr0n) wrote :
description: updated
Nick Rosbrook (enr0n)
description: updated
Nick Rosbrook (enr0n)
description: updated
Revision history for this message
Julian Andres Klode (juliank) wrote :

Uploads sponsored w/ minor adjustment to reduce debian/compat to 12 in focal as well, matching the depends, as lintian complained about level 13 not being ready then yet. Build output is binary identical.

$ md5sum {~/Downloads,..}/mokutil_0.6.0-2~20.04.1_amd64.deb
f0db822020bf68509153e4e900037362 /home/jak/Downloads/mokutil_0.6.0-2~20.04.1_amd64.deb
f0db822020bf68509153e4e900037362 ../mokutil_0.6.0-2~20.04.1_amd64.deb

Changed in mokutil (Ubuntu Focal):
status: New → In Progress
Changed in mokutil (Ubuntu Jammy):
status: New → In Progress
no longer affects: mokutil (Ubuntu)
Revision history for this message
Steve Langasek (vorlon) wrote :

 Package: mokutil
-Architecture: any-amd64 any-arm any-arm64 any-i386 any-ia64 any-riscv64
+Architecture: any
 Depends: ${shlibs:Depends}, ${misc:Depends}

Not clear why that packaging change is desirable. But in practice it won't change the set of architectures where this builds successfully, so <shrug>

Changed in mokutil (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted mokutil into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.6.0-2~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Nick Rosbrook (enr0n) wrote :

I have verified this using mokutil 0.6.0-2~22.04.1 from jammy-proposed:

Inside the VM:

ubuntu@ubuntu:~$ apt-cache policy mokutil
mokutil:
  Installed: 0.6.0-2~22.04.1
  Candidate: 0.6.0-2~22.04.1
  Version table:
 *** 0.6.0-2~22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.4.0-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
ubuntu@ubuntu:~$ sudo mokutil --set-verbosity true
ubuntu@ubuntu:~$ sudo mokutil --set-sbat-policy delete

Booting to 22.04.2 grub again:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:jammy-boot.log
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:jammy-boot.log
^Cqemu: terminating on signal 2
nr@six:/t/test-lp2015664$ grep -I sbat.c jammy-boot.log
sbat.c:477:set_sbat_uefi_variable() SbatLevel variable is 25 bytes, attributes are 0x00000003
sbat.c:479:set_sbat_uefi_variable() Deleting SbatLevel variable.
sbat.c:512:set_sbat_uefi_variable() SbatLevel variable initialization succeeded

Inside 22.04.1 VM after re-enabling secureboot:

ubuntu@ubuntu:/$ mokutil --sb-state
SecureBoot enabled
ubuntu@ubuntu:/$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Steve, or anyone else affected,

Accepted mokutil into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.6.0-2~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mokutil (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.6.0-2~22.04.1

---------------
mokutil (0.6.0-2~22.04.1) jammy; urgency=medium

  * Backport 0.6.0-2 to jammy (LP: #2015664).

 -- Nick Rosbrook <email address hidden> Wed, 26 Apr 2023 09:56:23 -0400

Changed in mokutil (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for mokutil has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Nick Rosbrook (enr0n) wrote (last edit ):
Download full text (4.2 KiB)

I have verified this using mokutil 0.6.0-2~20.04.1 from focal-proposed:

Edit: I omitted this for brevity initially, but to avoid any confusion for SRU reviewers:

Boot 22.04.2 ISO and kill the VM after grub is reached:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ qemu-img create -f qcow2 test.img 20G
Formatting 'test.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=21474836480 lazy_refcounts=off refcount_bits=16
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ cp /usr/share/OVMF/OVMF_VARS_4M.ms.fd OVMF_VARS_4M.ms.fd
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-22.04.2-desktop-amd64.iso
^Cqemu: terminating on signal 2

Now boot 20.04.5 ISO and disable secureboot before grub is loaded. After that, continue booting into live Ubuntu environment:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-20.04.5-desktop-amd64.iso -boot menu=on
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-20.04.5-desktop-amd64.iso -boot menu=on

From inside the VM:

ubuntu@ubuntu:~$ apt-cache policy mokutil
mokutil:
  Installed: 0.6.0-2~20.04.1
  Candidate: 0.6.0-2~20.04.1
  Version table:
 *** 0.6.0-2~20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     0.3.0+1538710437.fb6250f-1 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
ubuntu@ubuntu:~$ sudo mokutil --set-verbosity true
ubuntu@ubuntu:~$ sudo mokutil --set-sbat-policy delete

Booting to 22.04.2 grub again:

nr@six:/t/test-lp2015664$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso -serial file:focal-boot.log
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
...

Read more...

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Robie Basak (racb) wrote :

Thank you for the Focal verification!

The build is in dep-wait for ppc64el, riscv64 and s390x, but as with Jammy that's fine because I see these architectures weren't built before so there is no regression.

However, i386 _was_ built before, and now it isn't. If I release this then the old i386 binary will remain in the apt archive and I think will become NBS. Do we need to also build the i386 binary? Or, if exceptionally this is correct as-is, then please could that be documented with an AA sign-off for the NBS?

Revision history for this message
Steve Langasek (vorlon) wrote :

It is not built on i386 because no build record was created, because mokutils is not in the i386 whitelist for focal. It was *built* for the focal release pocket but was subject to binary removal per https://launchpad.net/ubuntu/focal/i386/mokutil and was not actually shipped in focal.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.6.0-2~20.04.1

---------------
mokutil (0.6.0-2~20.04.1) focal; urgency=medium

  * Backport 0.6.0-2 to focal (LP: #2015664).
  * Drop debhelper version to 12 to build on focal.

 -- Nick Rosbrook <email address hidden> Wed, 12 Apr 2023 13:59:25 -0400

Changed in mokutil (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

I hadn't considered the i386 special casing. Thank you for clarifying! So this is fine to release then, which I've just done.

Revision history for this message
Steve Langasek (vorlon) wrote :

New shim is also being published to bionic (in the main archive, not ESM), so we need the mokutils SRUed to bionic as well.

tags: added: foundations-todo
Steve Langasek (vorlon)
Changed in mokutil (Ubuntu Bionic):
status: New → Triaged
importance: Undecided → High
Nick Rosbrook (enr0n)
description: updated
description: updated
Steve Langasek (vorlon)
Changed in mokutil (Ubuntu Bionic):
status: Triaged → In Progress
assignee: nobody → Steve Langasek (vorlon)
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Steve, or anyone else affected,

Accepted mokutil into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mokutil/0.6.0-2~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mokutil (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
removed: verification-done
Revision history for this message
Nick Rosbrook (enr0n) wrote :
Download full text (6.3 KiB)

I have verified the fix using mokutil 0.6.0-2~18.04.1 from bionic-proposed:

* Boot 22.04.2 ISO:

nr@six:/t/tmp.iHWPr6jPZI$ ./secureboot-vm -cdrom ubuntu-22.04.2-desktop-amd64.iso
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ qemu-img create -f qcow2 test.img 20G
Formatting 'test.img', fmt=qcow2 cluster_size=65536 extended_l2=off compression_type=zlib size=21474836480 lazy_refcounts=off refcount_bits=16
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ cp /usr/share/OVMF/OVMF_VARS_4M.ms.fd OVMF_VARS_4M.ms.fd
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-22.04.2-desktop-amd64.iso
^Cqemu: terminating on signal 2

* Boot 18.04.6 ISO and observe secureboot violation:

nr@six:/t/tmp.iHWPr6jPZI$ ./secureboot-vm -cdrom ubuntu-18.04.6-desktop-amd64.iso
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom ubuntu-18.04.6-desktop-amd64.iso
^Cqemu: terminating on signal 2

* Disable secureboot and continue into live system:

nr@six:/t/tmp.iHWPr6jPZI$ ./secureboot-vm -cdrom ubuntu-18.04.6-desktop-amd64.iso -boot menu=on
+ MACHINE_NAME=test
+ QEMU_IMG=test.img
+ SSH_PORT=5555
+ OVMF_CODE=/usr/share/OVMF/OVMF_CODE_4M.ms.fd
+ OVMF_VARS_ORIG=/usr/share/OVMF/OVMF_VARS_4M.ms.fd
++ basename /usr/share/OVMF/OVMF_VARS_4M.ms.fd
+ OVMF_VARS=OVMF_VARS_4M.ms.fd
+ '[' '!' -e test.img ']'
+ '[' '!' -e OVMF_VARS_4M.ms.fd ']'
+ qemu-system-x86_64 -enable-kvm -cpu host -smp cores=4,threads=1 -m 4096 -object rng-random,filename=/dev/urandom,id=rng0 -device virtio-rng-pci,rng=rng0 -name test -drive file=test.img,format=qcow2 -net nic,model=virtio -net user,hostfwd=tcp::5555-:22 -vga virtio -machine q35,smm=on -global driver=cfi.pflash01,property=secure,value=on -drive if=pflash,format=raw,unit=0,file=/usr/share/OVMF/OVMF_CODE_4M.ms.fd,readonly=on -drive if=pflash,format=raw,unit=1,file=OVMF_VARS_4M.ms.fd -cdrom...

Read more...

tags: added: verification-done verification-done-bionic
removed: verification-needed verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mokutil - 0.6.0-2~18.04.1

---------------
mokutil (0.6.0-2~18.04.1) bionic; urgency=medium

  * Backport 0.6.0-2 to bionic (LP: #2015664).
    - debian/control,debian/compat: Drop debhelper version to 11
      to build on bionic.
    - debian/patches/manually-define-LIBKEYUTILS-make-vars.patch: Workaround
      missing libkeyutils.pc in bionic.

mokutil (0.6.0-2) unstable; urgency=medium

  * *Actually* switch to Arch: any to allow for more
    architectures. :-( Closes: #987613.

mokutil (0.6.0-1) unstable; urgency=medium

  * Move to new upstream version 0.6.0.
    + Drop old patches, no longer needed.
  * Switch to Arch: any to allow for more architectures.
    Closes: #987613, #991933.
  * Clean up old tweaks in debian/rules, no longer needed.
  * Add build-dep on libkeyutils-dev, new dependency.
  * Bump Standards-Version to 4.6.1, no changes needed.

mokutil (0.4.0-1) unstable; urgency=medium

  * Take mokutil under the wing of efi-team.
    Thanks to Simon for his work previously, added him as an uploader
  * Import the upstream source
  * Move to new upstream version 0.4.0. Closes: #925223
    + Includes manpage fixes. Closes: #930759
  * Fix compiler warnings about potential unaligned pointers
  * Update packaging:
    + Raise debhelper-compat to 13
    + Raise Standards-Version to 4.5.1
    + Remove now-redundant build-dep on dh-autoreconf

mokutil (0.3.0+1538710437.fb6250f-1) unstable; urgency=medium

  * Upload to Debian (Closes: #925471).
  * Adopt the package; thanks to Steve Langasek for your work!
  * Update Vcs-* to reflect the move to Salsa.

 -- Nick Rosbrook <email address hidden> Wed, 07 Jun 2023 14:14:30 -0400

Changed in mokutil (Ubuntu Bionic):
status: Fix Committed → Fix Released
Benjamin Drung (bdrung)
tags: removed: foundations-todo
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.