Ubuntu
secureboot-db package

[MIR] secureboot-db

Bug #1087843 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Fix Released
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned
secureboot-db (Ubuntu)
Fix Released
Undecided
Adam Conrad
Precise
Fix Released
Undecided
Adam Conrad
Quantal
Fix Released
Undecided
Adam Conrad
Raring
Fix Released
Undecided
Adam Conrad
shim-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Won't Fix
Undecided
Unassigned
Raring
Fix Released
Undecided
Unassigned

Bug Description

Availability: The package is in universe in 13.04 (pending bug #1081700)

Rationale: This package is provided as part of Ubuntu's secure boot strategy and will also be backported to 12.04 LTS and 12.10 as part of https://blueprints.launchpad.net/ubuntu/+spec/foundations-r-secure-boot.

Security: The package is new and has no security history. It is also simple and only ships data and runs sbkeysync in postinstall.

Quality assurance: there is no special configuration. Install the package and updates to DB and DBX are automatically performed in postinst via sbkeysync. There are no debconf questions or outstanding bugs. The package is for Ubuntu only, which is why it uses native packaging. There is no testsuite as there is no code to test. The package is lintian clean. The package ships a README.source which details how to add new signed updates to the package and testing procedures are documented and given to Foundations, QA, Security and PES.

UI standards: N/A

Dependencies: the package has a binary dependency on sbsigntool, which is already in main.

Standards compliance: The package meets FHS and Debian Policy standards.

Maintenance: The package will be maintained by Ubuntu Foundations and Ubuntu Security.

Background information: In order to properly support secure boot, we need a method to update the DB and DBX key databases to support key rotation and blacklisting.

Jamie Strandboge (jdstrand)
affects: Ubuntu Precise → secureboot-db (Ubuntu Precise)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I accepted these for all releases today in an effort to push this along (they are essentially empty packages at this point) and knowing they were going to get an MIR review.

Revision history for this message
Adam Conrad (adconrad) wrote :

After some back and forth on IRC with Jamie, this all looks fine to me. I'll be pre-promoting it in all releases, and we need to get bits depending on it. Adding tasks for grub2-signed and shim-signed.

Adam Conrad (adconrad)
Changed in secureboot-db (Ubuntu Precise):
assignee: nobody → Adam Conrad (adconrad)
status: New → Fix Released
Changed in secureboot-db (Ubuntu Quantal):
assignee: nobody → Adam Conrad (adconrad)
status: New → Fix Released
Changed in secureboot-db (Ubuntu Raring):
assignee: nobody → Adam Conrad (adconrad)
status: New → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Please test proposed package

Hello Jamie, or anyone else affected,

Accepted grub2-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2-signed/1.9~ubuntu12.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in grub2-signed (Ubuntu Precise):
status: New → Fix Committed
tags: added: verification-needed
Changed in grub2-signed (Ubuntu Quantal):
status: New → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote :

Hello Jamie, or anyone else affected,

Accepted grub2-signed into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/grub2-signed/1.9ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.11

---------------
grub2-signed (1.11) raring; urgency=low

  * Rebuild against grub-efi-amd64 2.00-12ubuntu1.
  * Recommend secureboot-db (LP: #1087843).
 -- Colin Watson <email address hidden> Mon, 04 Feb 2013 17:24:58 +0000

Changed in grub2-signed (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote :

Stéphane Graber reported that the new grub-efi-amd64-signed was fine for him (on precise, but secureboot-db is currently simple enough that I'm happy for that to cover both). Since this is currently indirectly blocking 12.04.2 validation, I'm going to promote this to -updates ahead of the usual schedule.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.9~ubuntu12.04.3

---------------
grub2-signed (1.9~ubuntu12.04.3) precise; urgency=low

  * Build against grub-efi-amd64 1.99-21ubuntu3.9.
  * Recommend secureboot-db (LP: #1087843).
 -- Colin Watson <email address hidden> Mon, 04 Feb 2013 17:21:45 +0000

Changed in grub2-signed (Ubuntu Precise):
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package grub2-signed - 1.9.1

---------------
grub2-signed (1.9.1) quantal; urgency=low

  * Recommend secureboot-db (LP: #1087843).
 -- Colin Watson <email address hidden> Mon, 04 Feb 2013 20:42:12 +0000

Changed in grub2-signed (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.2

---------------
shim-signed (1.2) raring; urgency=low

  * Recommend secureboot-db (LP: #1087843).
 -- Colin Watson <email address hidden> Sat, 16 Feb 2013 00:02:00 +0000

Changed in shim-signed (Ubuntu Raring):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shim-signed - 1.4

---------------
shim-signed (1.4) trusty; urgency=low

  * Add a dependency on shim, so that we can pull in MokManager for use.
  * Update to the signed 0.4-0ubuntu4 binary from Microsoft.
 -- Steve Langasek <email address hidden> Wed, 30 Oct 2013 15:04:23 -0700

Changed in shim-signed (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

quantal has seen the end of its life and is no longer receiving any updates. Marking the quantal task for this ticket as "Won't Fix".

Changed in shim-signed (Ubuntu Quantal):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.