Bug 28191 - UEFI Secure Boot Support
UEFI Secure Boot Support
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Kernel
UCS 3.0
Other Linux
: P5 enhancement (vote)
: UCS 4.0
Assigned To: Janek Walkenhorst
Stefan Gohmann
: interim-3
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-13 11:52 CEST by Stefan Gohmann
Modified: 2014-11-26 06:55 CET (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Release Goal
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2012-08-13 11:52:05 CEST
Zukünftig sollen unsignierte Bootloader nicht mehr gestartet werden können. UCS benötigt eine Unterstützung für UEFI Secure Boot.
Comment 2 Stefan Gohmann univentionstaff 2012-11-15 12:10:41 CET
Mit EFI Support im Installer ist der erste große Schritt gemacht. Sobald wir mehr Testhardware haben, sollten wir den Bootloader signieren und eine erste Test-DVD veröffentlichen. Das muss aber nicht zwingend zum 3.1 Release sein.
Comment 3 Moritz Muehlenhoff univentionstaff 2013-05-31 10:43:20 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 4 Moritz Muehlenhoff univentionstaff 2013-08-14 08:55:37 CEST
Current summary from DebConf wrt the plans in Debian:
https://lists.debian.org/debian-kernel/2013/08/msg00267.html
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2013-09-16 11:42:40 CEST
shim-0.2 has been imported to SVN and manually built on UCS 3.2:
- ucs-3.2-0/base/shim/
- copy ucs-3.2-0/base/shim/buildShim.sh to UCS 3.2++ instance
- call buildShim.sh:
  buildShim.sh \
      svn+ssh://USERNAME@billy:/var/svn/dev/branches/ucs-3.2/ucs-3.2-0/base/shim
  - the script prepares the local system for compilation and builds a shim binary
  - The Univention vendor certificate (univention-uefi-ca.cer) will be 
    automatically compiled into the binary.

See also https://hutten.knut.univention.de/mediawiki/index.php/UEFI
Comment 6 Stefan Gohmann univentionstaff 2013-11-08 15:46:22 CET
Still waiting for the signature from Microsoft ...
Comment 7 Stefan Gohmann univentionstaff 2014-06-17 13:29:59 CEST
Moved to UCS 4.
Comment 8 Stefan Gohmann univentionstaff 2014-07-15 08:44:53 CEST
It should be checked whether the patches are still needed:

stefan@leka:~/11_wrk/svn/patches$ ls */3.2-0-0-ucs/*uefi* -d1
 efitools/3.2-0-0-ucs/1.4.1-1-uefi
 efitools/3.2-0-0-ucs/1.4.1-1-uefi-secureboot-tools
 gnu-efi/3.2-0-0-ucs/3.0i-3-uefi
 gnu-efi/3.2-0-0-ucs/3.0s+debian-3-uefi
 gnu-efi/3.2-0-0-ucs/3.0s+debian-3-uefi-secureboot-tools
 openssl/3.2-0-0-ucs/1.0.1e-2-uefi
 openssl/3.2-0-0-ucs/1.0.1e-2-uefi-secureboot-tools
 sbsigntool/3.2-0-0-ucs/0.6-0ubuntu1-uefi
 sbsigntool/3.2-0-0-ucs/0.6-0ubuntu1-uefi-secureboot-tools
Comment 9 Stefan Gohmann univentionstaff 2014-09-12 10:08:51 CEST
Microsoft changed its policy:
http://blogs.msdn.com/b/windows_hardware_certification/archive/2013/12/03/microsoft-uefi-ca-signing-policy-updates.aspx

We need an EV certificate and we have to sign the complete chain. I've created several Bugs for this:
 - Bug #35914 - Shim update to 0.7 or higher
 - Bug #35915 - Shim signing key & tool
 - Bug #35916 - Sign kernel for UEFI Secure Boot
 - Bug #35917 - Sign grub for UEFI Secure Boot
 - Bug #35918 - Prepare UCS installer for UEFI Secure Boot

Ticket #2014091221000208 → new certificate request
Comment 10 Janek Walkenhorst univentionstaff 2014-11-04 17:25:54 CET
The DVD ucs_4.0-0-20141104-162347-dvd-amd64.iso has SecureBoot support.
Comment 11 Stefan Gohmann univentionstaff 2014-11-06 09:29:37 CET
OK, it works. I've added a changelog entry for this bug.
Comment 12 Stefan Gohmann univentionstaff 2014-11-26 06:55:01 CET
UCS 4.0-0 has been released:
 http://docs.univention.de/release-notes-4.0-0-en.html
 http://docs.univention.de/release-notes-4.0-0-de.html

If this error occurs again, please use "Clone This Bug".