Secure boot plans for R cycle

Registered by Jeremy Kerr on 2012-10-15

Review of the secure boot implementation for precise. Progress updates on the signed boot path, secure boot tools, and Ubuntu infrastructure.

Development plans for the next cycle, areas that we left for implementation in 13.04, and backport progress for the 12.04.2 update.

Blueprint information

Status:
Started
Approver:
Steve Langasek
Priority:
High
Drafter:
Jeremy Kerr
Direction:
Approved
Assignee:
Colin Watson
Definition:
Approved
Series goal:
Accepted for raring
Implementation:
Started
Milestone target:
milestone icon ubuntu-13.04-feature-freeze
Started by
Colin Watson on 2012-11-16

Related branches

Sprints

Whiteboard

== Review of 12.10 ==

Ref: http://web.dodds.net/~vorlon/wiki/blog/SecureBoot_in_Ubuntu_12.10/
 * GRUB2 in archive
 * GRUB2 signed
 * kernel signed
 * desktop & server images bootable with MS 3rd party CA
 * issues booting unsigned kernels
  * on certain HW
 * sbkeysync 0.6

== Backports for 12.04.2 ==

 * cjwatson is doing that next week
  * EBS backport (linux-signed)
  * grub2/grub2-signed
  * grub-installer
  * ubiquity
  * d-i
  * cdimage
  * shim/shim-signed
  * sbsigntool
 * PES is keeeeeen to start testing
 * will include keysync infrastructure later

== Plans for 13.04 ==

 * netbooting
 * key sync (should be sorted by a SRU)
 * sbkeysync infrastructure
  - tools to run sbkeysync on various triggers (typically, new keys)
  - actual key set
  - reverse-recommends: grub2-signed
 * MOK
  - our shim is pre-MOK
  - just needs an update (+sign) for shim
 * not-trojaned-by-MS validation (currently manual)
 * OVMF [jk]
  - including apparmor rules for OVMF.fd
  - cjwatson to sponsor (into Debian)

== Other features / wishlist ==

 * signing Xen binaries?
  * no plans as yet
  * “not desperately hard”
  * desktop usecases exist
  * dom0 cannot (yet) take advantage of UEFI boot services, so no particular advantage
  * gwd will bring up signing Xen again in a future release (when it might actually be useful)
 * jk would like some help with sbkeysync testcases
  * jdstrand can help
  * others: please email <email address hidden>
 * netboot support for 12.04.2
  * blocked by grub2 tftp stack issues
  * smagoun can help coordinate testing
 * OsIndications support
  * implemented in GRUB
  * UI from Ubuntu desktop?
   - no design yet
 * custom key configuration walkthrough:
  - http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/

== module signing ==

 * in progress: infrastructure is there
 * need an alternative to DKMS
 * controlled via kernel command line
  - security considerations?
  - disable disabling when booted in secure boot mode?
 * needs to be opt-in, with the consequence of losing DKMS

(?)

Work Items

Work items for ubuntu-13.04-month-2:
[cjwatson] backport all the things for SB support in 12.04.2: DONE
[cjwatson] switch to enablement kernel ASAP for 12.04.2: DONE
[timg-tpi] module signing support prototype for R: DONE
[apw] .efi.signature support for R/Q ASAP: DONE

Work items for ubuntu-13.04-month-5:
[cjwatson] fix grub2 netboot support: INPROGRESS

Work items:
[vorlon] followup on shim bugfixes: TODO
[vorlon] upgrade to shim+MOK for 13.04 and 12.04.3: TODO
[vorlon] OVMF packages (with secure boot support): DONE
[jk-ozlabs] Publish wishlist for sbkeysync tests: TODO
[cjwatson] look into using grub2-signed image preferentially even if SB is disabled (for migration): TODO
[jdstrand] more auditing of signed GRUB: POSTPONED
[jdstrand] packaging for db/dbx updates (LP: #1081700) (essential) (1): DONE
[jdstrand] document testing procedures for db/dbx updates (essential) (4): DONE
[apw] review efivarfs changes for sru to Q: TODO