shim 15.7 and key rotation woes

Steve Langasek steve.langasek at ubuntu.com
Sat Jan 28 07:14:46 UTC 2023


On Thu, Jan 19, 2023 at 04:34:49PM +0100, Julian Andres Klode wrote:

> Now how do we enforce that we don't update the shim on the ESP when we
> don't have kernels trusted by it? One thing is clear: In the
> maintainer script we need to check which kernels are signed by our CA
> and see if all of them are in the revoked kernels (if you only have
> self-signed kernels, or no signed kernels or whatever we don't care
> about it in the context of this key revocation).

> Option 1: Fail in preinst

> This breaks a large apt upgrade in the middle leading to apport errors
> and unconfigured packages on the system as apt doesn't complete
> unrelated tasks necessarily.

> Option 3: Alternatives

> We ship both the latest and previous shim in shim-signed, install them
> both as alternatives. If trusted kernels are around, the 'latest'
> alternative gets priority 100 and the 'previous' gets priority 50;
> without trusted kernels the priorities are reversed.

> We then add a kernel postinst.d hook that swaps the priorities and
> reconfigures shim-signed (installs it to the ESP) when a trusted
> kernel is being installed.

I am personally not convinced that it was necessary to avoid failing in the
preinst.  Given that kernels are always published to -security and security
updates are by default installed automatically on a frequent cadence, I
don't think the incidence of users having failures in the preinst would have
been very high, and that even users who encountered the preinst failure
would have done so as part of small upgrades within a release, not large
upgrades where the preinst failure causes significant problems in
recovering.

However, you've implemented option 3 and, having reviewed it from an SRU
perspective, I can't find fault with the implementation.  So we'll move
forward with this approach.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20230127/51b82e57/attachment.sig>


More information about the ubuntu-devel mailing list