Secure Boot work for 14.04

Registered by Steve Langasek on 2013-10-24

There's more work to be done to polish our Secure Boot story for 14.04. Blueprint to capture this work.

Blueprint information

Status:
Not started
Approver:
Steve Langasek
Priority:
Undefined
Drafter:
Steve Langasek
Direction:
Needs approval
Assignee:
None
Definition:
Discussion
Series goal:
Accepted for trusty
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

* Colin will get a new grub2 upstream snapshot, which may fix the ipv6 netboot issues and if not provides a better base for debugging
= Things done for 12.04.4 =
 * updated to shim 0.4. This addresses a number of firmware compatibility issues seen in the early prerelease version that was included in 12.04.3.
 * included a patch to silence shim during normal operation, in keeping with Ubuntu's policy of a silent-by-default boot and fixing errors on Lenovo firmware implementations in particular
 * integrated MokManager support, to make it easier for users to enable signature enforcement with local kernel and kernel module builds
 * IPv4 netboot support
= Work planned for 14.04 =
 * Integration of shim fallback.efi, which brings support for recovering the boot options for a system after a disk is moved between machines or when the firmware has been wiped
 * Integrate support for making kernel signature enforcement an option recorded in nvram, so that users have finer-grained control over SB enforcement without needing to navigate vendor-specific firmware UIs
= May do for 14.04 =
 * IPv6 SecureBoot netboot support (requires fixes to grub2 upstream)
 * update to shim upstream 0.5 (or later)
 * improving the installer UI under UEFI: currently you get a stock GRUB2 boot menu instead of the installer boot GUI with option menus
 * integration of mokutil in the userspace (e.g., dkms integration, grub-install integration)
 * Add support for rebooting into the firmware menu (for those systems using fast boot) (not strictly SB related but tends to come hand in hand)
  * this already exists.
  - where is it? grub-menu option? oh yeah, it's in grub, nevermind (just remembered seeing it now ;))
  - "System setup" starts fwsetup which causes the system to reboot into the firmware menu
http://permalink.gmane.org/gmane.comp.bios.tianocore.devel/4698
https://wiki.ubuntu.com/UEFI/SecureBoot-PXE-IPv6

= Qemu testing =
* Daily builds of OVMF: https://jenkins.qa.ubuntu.com/job/ovmf_daily-build_devel_amd64/

(?)

Work Items

Work items for ubuntu-14.04:
[cjwatson] investigate improvements to the installer boot UI under UEFI: TODO
[cjwatson] grub2 new upstream snapshot: DONE
[vorlon] review shim 0.5 upstream for potential inclusion: TODO
[vorlon] proof-of-concept mokutil integration for dkms, grub-install: TODO
[vorlon] follow up with Linux SB folks about nvram flags, and what will honor them (for kernel modules signature enforcement and kernel image signature enforcement): TODO
[vorlon] follow up on persistent nvram support in ovmf: TODO

Work items for ubuntu-14.04-alpha-1:
[jibel] investigate automating boot+install testing under SecureBoot in the lab: INPROGRESS
[jibel] include a negative test to make sure the system doesn't boot when it shouldn't: TODO
[apw] investigate the Magrathea key failure types: DONE