[Bug 1856422] [NEW] always call mokutil with --timeout -1 when enrolling dkms keys
Steve Langasek
steve.langasek at canonical.com
Sun Dec 15 01:08:36 UTC 2019
Public bug reported:
The version of MokManager currently in xenial-updates and later supports
a MokTimeout variable, which can be set with mokutil --timeout, to
control how long MokManager waits for input instead of having a hard-
coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the
MOK requests and passes control back to shim, which falls back to
booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key
enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part
of key generation for dkms modules, we should disable the timeout. We
should never leave the user with broken dkms modules on the system
because they were looking away from the console at the wrong point in
time during a reboot.
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
** Affects: ubiquity (Ubuntu)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: ubiquity (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu Eoan)
Importance: Undecided
Status: New
** Affects: ubiquity (Ubuntu Eoan)
Importance: Undecided
Status: Won't Fix
** Also affects: ubiquity (Ubuntu)
Importance: Undecided
Status: New
** Also affects: ubiquity (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu Eoan)
Importance: Undecided
Status: New
** Also affects: ubiquity (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: shim-signed (Ubuntu Bionic)
Importance: Undecided
Status: New
** Description changed:
- The version of MokManager currently in all releases supports a
- MokTimeout variable, which can be set with mokutil --timeout, to control
- how long MokManager waits for input instead of having a hard-coded
- timeout of 10 seconds.
+ The version of MokManager currently in xenial-updates and later supports
+ a MokTimeout variable, which can be set with mokutil --timeout, to
+ control how long MokManager waits for input instead of having a hard-
+ coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the
MOK requests and passes control back to shim, which falls back to
booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key
enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as part
of key generation for dkms modules, we should disable the timeout. We
should never leave the user with broken dkms modules on the system
because they were looking away from the console at the wrong point in
time during a reboot.
** Changed in: ubiquity (Ubuntu Eoan)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1856422
Title:
always call mokutil with --timeout -1 when enrolling dkms keys
Status in shim-signed package in Ubuntu:
New
Status in ubiquity package in Ubuntu:
New
Status in shim-signed source package in Bionic:
New
Status in ubiquity source package in Bionic:
New
Status in shim-signed source package in Eoan:
New
Status in ubiquity source package in Eoan:
Won't Fix
Bug description:
The version of MokManager currently in xenial-updates and later
supports a MokTimeout variable, which can be set with mokutil
--timeout, to control how long MokManager waits for input instead of
having a hard-coded timeout of 10 seconds.
If the timeout is reached on boot with no input, MokManager clears the
MOK requests and passes control back to shim, which falls back to
booting the OS.
So if you miss seeing MokManager on boot, you have to restart the key
enrollment process from the OS and reboot again.
When we are invoking mokutil automatically on behalf of the user as
part of key generation for dkms modules, we should disable the
timeout. We should never leave the user with broken dkms modules on
the system because they were looking away from the console at the
wrong point in time during a reboot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1856422/+subscriptions
More information about the foundations-bugs
mailing list