Generate per-machine MOK for dkms signing

There are dkms changes and shim-signed changes for this. I'm linking both.

dkms changes in debdiff format. There didn't seem to be a code branch for dkms specific to Ubuntu.

https://code.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/+ref/self-signed

I'm uploading things now; let's keep them blocked in proposed just long enough that I have the time for one last test before it reaches everyone.

Hello Mathieu, or anyone else affected,

Accepted dkms into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.3-3ubuntu7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

we really ought to fix those scripts to not do the bug tampering for devel ;)

This has been in -proposed for 4 days now, and there have been multiple bug reports in that time from users who have -proposed enabled - but none against the latest version which has been in -proposed for 24h+. Dropping the block-proposed tag now to let this migrate.

This bug was fixed in the package shim-signed - 1.34.4

---------------
shim-signed (1.34.4) bionic; urgency=medium

  * Handle the case that there are no kernel modules available for a given
    dkms package. This probably indicates there is a problem with the dkms
    module's installation, but that should not cause this package's
    installation to fail. LP: #1765954.

 -- Steve Langasek <email address hidden> Sat, 21 Apr 2018 10:13:41 -0700

This bug was fixed in the package dkms - 2.3-3ubuntu7

---------------
dkms (2.3-3ubuntu7) bionic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: update
    for the new update-secureboot-policy code: have it generate a new MOK if
    there isn't one yet, and use that so sign newly-built kernel modules.
    (LP: #1748983)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 18 Apr 2018 17:23:41 -0400

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

Hello Mathieu, or anyone else affected,

Accepted dkms into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mathieu, or anyone else affected,

Accepted dkms into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-1.1ubuntu5.14.04.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Verification-done on xenial:

shim-signed/1.33.1~16.04.4
dkms/2.2.0.3-2ubuntu11.6

I've installed bbswitch on a test UEFI system, rebooted to disable validation in shim; then upgraded to the new packages and could verify that shim validation was re-enabled and a MOK was enrolled in the firmware, as expected.

ubuntu@ubuntu:~$ dpkg -l dkms shim-signed | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-=============================================-============-==============================================================
ii dkms 2.2.0.3-2ubuntu11.6 all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo mokutil --sb-state
[sudo] password for ubuntu:
SecureBoot enabled
ubuntu@ubuntu:~$ sudo modprobe bbswitch
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 7.397726] wlp3s0: authenticated
[ 7.398704] wlp3s0: associate with fc:ec:da:3c:dd:85 (try 1/3)
[ 7.402921] wlp3s0: RX AssocResp from fc:ec:da:3c:dd:85 (capab=0x411 status=0 aid=3)
[ 7.422831] wlp3s0: associated
[ 7.422886] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[ 23.013018] random: nonblocking pool is initialized
[ 100.470084] bbswitch: loading out-of-tree module taints kernel.
[ 100.470804] bbswitch: version 0.8
[ 100.470822] bbswitch: Found integrated VGA device 0000:00:02.0: \_SB_.PCI0.VID_
[ 100.470837] bbswitch: No discrete VGA device found

Verification-done on trusty:

dkms/2.2.0.3-1.1ubuntu5.14.04.10
shim-signed/1.33.1~14.04.4

I've installed bbswitch on a test UEFI system, rebooted to disable validation in shim; then upgraded to the new packages and could verify that shim validation was re-enabled and a MOK was enrolled in the firmware, as expected.

ubuntu@ubuntu:~$ dpkg -l dkms shim-signed |cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=====================================-=========================================-============-===============================================================================
ii dkms 2.2.0.3-1.1ubuntu5.14.04.10 all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~14.04.4+13-0ubuntu2 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo modprobe bbswitch
[sudo] password for ubuntu:
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 15.292736] audit: type=1400 audit(1550085342.906:10): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293018] audit: type=1400 audit(1550085342.906:11): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1019 comm="apparmor_parser"
[ 15.293020] audit: type=1400 audit(1550085342.906:12): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293167] audit: type=1400 audit(1550085342.906:13): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293785] audit: type=1400 audit(1550085342.906:14): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=1021 comm="apparmor_parser"
[ 15.422442] init: plymouth-upstart-bridge main process ended, respawning
[ 20.034883] random: nonblocking pool is initialized
[ 79.588877] bbswitch: version 0.7
[ 79.588891] bbswitch: Found integrated VGA device 0000:00:02.0: \_SB_.PCI0.VID_
[ 79.588901] bbswitch: No discrete VGA device found

The verification of the Stable Release Update for shim-signed has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package shim-signed - 1.33.1~16.04.4

---------------
shim-signed (1.33.1~16.04.4) xenial; urgency=medium

  * update-secureboot-policy: (LP: #1748983)
    - Backport update-secureboot-policy changes to generate a MOK and guide
      users through re-enabling validation and automatically signing DKMS
      modules.
  * debian/shim-signed.postinst:
    - When triggered, explicitly try to enroll the available MOK.
  * debian/shim-signed.install, openssl.cnf: Install some default configuration
    for creating our self-signed key.
  * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
  * debian/templates: update templates for update-secureboot-policy changes.
  * debian/control: Breaks dkms (<< 2.2.0.3-2ubuntu11.5~) since we're changing
    the behavior of update-secureboot-policy.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 10:22:31 -0500

This bug was fixed in the package shim-signed - 1.33.1~14.04.4

---------------
shim-signed (1.33.1~14.04.4) trusty; urgency=medium

  * update-secureboot-policy: (LP: #1748983)
    - Backport update-secureboot-policy changes to generate a MOK and guide
      users through re-enabling validation and automatically signing DKMS
      modules.
  * debian/shim-signed.postinst:
    - When triggered, explicitly try to enroll the available MOK.
  * debian/shim-signed.install, openssl.cnf: Install some default configuration
    for creating our self-signed key.
  * debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
  * debian/templates: update templates for update-secureboot-policy changes.
  * debian/control: Breaks dkms (<< 2.2.0.3-1.1ubuntu5.14.04.10~) since we're
    changing the behavior of update-secureboot-policy.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 11:02:00 -0500

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.10

---------------
dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
    - Move to signing just after module build to ensure it correctly applies
      at kernel update times. (LP: #1772950)
    - Generate a new MOK if there isn't one yet, and use that so sign
      newly-built kernel modules. (LP: #1748983)
  * debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both
    are updated in lock-step since the changes above require a new version of
    update-secureboot-policy to correctly generate the new MOK and enroll it
    in firmware.

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 11:05:49 -0500

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu11.6

---------------
dkms (2.2.0.3-2ubuntu11.6) xenial; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
    - Move to signing just after module build to ensure it correctly applies
      at kernel update times. (LP: #1772950)
    - Generate a new MOK if there isn't one yet, and use that so sign
      newly-built kernel modules. (LP: #1748983)

 -- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 10:21:09 -0500

This seems to be causing a regression with the bcmwl driver, see https://bugs.launchpad.net/ubuntu/+source/bcmwl/+bug/1818134 for further details.

I have asked for additional information on that bug.