Ubuntu

Secure Boot work for 14.04

Registered by Steve Langasek on 2013-10-24

There's more work to be done to polish our Secure Boot story for 14.04. Blueprint to capture this work.

Blueprint information

Status:: Not started

Approver:: Steve Langasek

Priority:: Undefined

Drafter:: Steve Langasek

Direction:: Needs approval

Assignee:: None

Definition:: Discussion

Series goal:: Accepted for trusty

Implementation:: Unknown

Milestone target:: None

Related branches

Related bugs

Sprints

uds-1311

Whiteboard

* Colin will get a new grub2 upstream snapshot, which may fix the ipv6 netboot issues and if not provides a better base for debugging
= Things done for 12.04.4 =
* updated to shim 0.4. This addresses a number of firmware compatibility issues seen in the early prerelease version that was included in 12.04.3.
* included a patch to silence shim during normal operation, in keeping with Ubuntu's policy of a silent-by-default boot and fixing errors on Lenovo firmware implementations in particular
* integrated MokManager support, to make it easier for users to enable signature enforcement with local kernel and kernel module builds
* IPv4 netboot support
= Work planned for 14.04 =
* Integration of shim fallback.efi, which brings support for recovering the boot options for a system after a disk is moved between machines or when the firmware has been wiped
* Integrate support for making kernel signature enforcement an option recorded in nvram, so that users have finer-grained control over SB enforcement without needing to navigate vendor-specific firmware UIs
= May do for 14.04 =
* IPv6 SecureBoot netboot support (requires fixes to grub2 upstream)
* update to shim upstream 0.5 (or later)
* improving the installer UI under UEFI: currently you get a stock GRUB2 boot menu instead of the installer boot GUI with option menus
* integration of mokutil in the userspace (e.g., dkms integration, grub-install integration)
* Add support for rebooting into the firmware menu (for those systems using fast boot) (not strictly SB related but tends to come hand in hand)
  * this already exists.
  - where is it? grub-menu option? oh yeah, it's in grub, nevermind (just remembered seeing it now ;))
  - "System setup" starts fwsetup which causes the system to reboot into the firmware menu
http://permalink.gmane.org/gmane.comp.bios.tianocore.devel/4698
https://wiki.ubuntu.com/UEFI/SecureBoot-PXE-IPv6

= Qemu testing =
* Daily builds of OVMF: https://jenkins.qa.ubuntu.com/job/ovmf_daily-build_devel_amd64/

(?)

Work Items

Work items for ubuntu-14.04:
[cjwatson] investigate improvements to the installer boot UI under UEFI: TODO
[cjwatson] grub2 new upstream snapshot: DONE
[vorlon] review shim 0.5 upstream for potential inclusion: TODO
[vorlon] proof-of-concept mokutil integration for dkms, grub-install: TODO
[vorlon] follow up with Linux SB folks about nvram flags, and what will honor them (for kernel modules signature enforcement and kernel image signature enforcement): TODO
[vorlon] follow up on persistent nvram support in ovmf: TODO

Work items for ubuntu-14.04-alpha-1:
[jibel] investigate automating boot+install testing under SecureBoot in the lab: INPROGRESS
[jibel] include a negative test to make sure the system doesn't boot when it shouldn't: TODO
[apw] investigate the Magrathea key failure types: DONE

This blueprint contains Public information

Everyone can see this information.

Subscribers

Alex Chiang

Andy Whitcroft

Colin Watson

Dimitri John Ledkov

Jani Monoses

Jared Dominguez

Jean-Baptiste Lallement

Ma Jun

Nobuto Murata

Ricardo Salveti

Steve Beattie

Stéphane Graber