[Bug 1673904] Re: update-secureboot-policy --enable does not work after dkms modules removed

[Steve Langasek]

Hello Steve, or anyone else affected,

Accepted shim-signed into yakkety-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/shim-
signed/1.32~16.10.1 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-yakkety to verification-done-yakkety. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-yakkety. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: shim-signed (Ubuntu Yakkety)
       Status: New => Fix Committed

** Tags added: verification-needed-yakkety

** Changed in: shim-signed (Ubuntu Xenial)
       Status: New => Fix Committed

** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1673904

Title:
  update-secureboot-policy --enable does not work after dkms modules
  removed

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Xenial:
  Fix Committed
Status in shim-signed source package in Yakkety:
  Fix Committed
Status in shim-signed source package in Zesty:
  Fix Committed

Bug description:
  [Impact]
  Re-enabling Secure Boot after DKMS packages are no longer needed is useful to benefit from the extra security afforded by having all bits of the bootloader and kernel signed by a proper key.

  [Test Case]
  (on a system with SHIM validation disabled)
  1- Remove all dkms modules
  2- Attempt to run 'sudo update-secureboot-policy --enable'
  3- Observe the behavior.

  With the fixed update-secureboot-policy script, you should be prompted
  to re-enable shim validation; which is otherwise skipped with no
  output with previous versions of the script in shim-signed.

  [Regression Potential]
  Possible regression from this update would be changes to expected behavior of the update-secureboot-policy script; such as being unable to correctly recognize the current state of Secure Boot and shim validation, or incorrectly returning before prompting for the password required to toggle shim validation when the shim validation state make sense to be changed (ie. prompting to enable when it is disabled only, prompting to disable only if it's currently enabled). Any change in proper prompting in a debconf non-interactive context could also be a regression from this update.

  ---

  If I have disabled secureboot on my system via update-secureboot-
  policy due to the presence of dkms modules, but subsequently remove
  these dkms modules because I decide I don't like not having
  secureboot, I cannot re-enable SB by running 'update-secureboot-policy
  --enable'.

  I think either the check for /var/lib/dkms should only apply when
  update-secureboot-policy is called without arguments, or this check
  should be encoded in the shim-signed postinst so that manual calls
  from the commandline DWIM.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1673904/+subscriptions