Secure Boot work for 14.04

Registered by Steve Langasek

There's more work to be done to polish our Secure Boot story for 14.04. Blueprint to capture this work.

Blueprint information

Not started
Steve Langasek
Steve Langasek
Needs approval
Series goal:
Accepted for trusty
Milestone target:

Related branches



* Colin will get a new grub2 upstream snapshot, which may fix the ipv6 netboot issues and if not provides a better base for debugging
= Things done for 12.04.4 =
 * updated to shim 0.4. This addresses a number of firmware compatibility issues seen in the early prerelease version that was included in 12.04.3.
 * included a patch to silence shim during normal operation, in keeping with Ubuntu's policy of a silent-by-default boot and fixing errors on Lenovo firmware implementations in particular
 * integrated MokManager support, to make it easier for users to enable signature enforcement with local kernel and kernel module builds
 * IPv4 netboot support
= Work planned for 14.04 =
 * Integration of shim fallback.efi, which brings support for recovering the boot options for a system after a disk is moved between machines or when the firmware has been wiped
 * Integrate support for making kernel signature enforcement an option recorded in nvram, so that users have finer-grained control over SB enforcement without needing to navigate vendor-specific firmware UIs
= May do for 14.04 =
 * IPv6 SecureBoot netboot support (requires fixes to grub2 upstream)
 * update to shim upstream 0.5 (or later)
 * improving the installer UI under UEFI: currently you get a stock GRUB2 boot menu instead of the installer boot GUI with option menus
 * integration of mokutil in the userspace (e.g., dkms integration, grub-install integration)
 * Add support for rebooting into the firmware menu (for those systems using fast boot) (not strictly SB related but tends to come hand in hand)
  * this already exists.
  - where is it? grub-menu option? oh yeah, it's in grub, nevermind (just remembered seeing it now ;))
  - "System setup" starts fwsetup which causes the system to reboot into the firmware menu

= Qemu testing =
* Daily builds of OVMF:


Work Items

Work items for ubuntu-14.04:
[cjwatson] investigate improvements to the installer boot UI under UEFI: TODO
[cjwatson] grub2 new upstream snapshot: DONE
[vorlon] review shim 0.5 upstream for potential inclusion: TODO
[vorlon] proof-of-concept mokutil integration for dkms, grub-install: TODO
[vorlon] follow up with Linux SB folks about nvram flags, and what will honor them (for kernel modules signature enforcement and kernel image signature enforcement): TODO
[vorlon] follow up on persistent nvram support in ovmf: TODO

Work items for ubuntu-14.04-alpha-1:
[jibel] investigate automating boot+install testing under SecureBoot in the lab: INPROGRESS
[jibel] include a negative test to make sure the system doesn't boot when it shouldn't: TODO
[apw] investigate the Magrathea key failure types: DONE