← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #06287

[Bug 1604873] Re: MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package shim-signed - 1.18

---------------
shim-signed (1.18) yakkety; urgency=medium

  * update-secureboot-policy:  If /proc/sys/kernel/moksbstate_disabled is
    present, prefer this unconditionally over MokSBStateRT.  LP: #1604873.

 -- Steve Langasek <steve.langasek@xxxxxxxxxx>  Wed, 20 Jul 2016
08:31:17 -0700

** Changed in: shim-signed (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1604873

Title:
  MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled

Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim-signed source package in Precise:
  New
Status in shim-signed source package in Trusty:
  New
Status in shim-signed source package in Wily:
  New
Status in shim-signed source package in Xenial:
  New

Bug description:
  update-secureboot-policy tries to check whether MOK's override has disabled SecureBoot state.  However, since the real variable in nvram is not accessible after boot, it needs to use a proxy for this information.  There are two that it tries to use:
   - We've specified how shim can mirror the MokSBState variable to MokSBStateRT at boot time, to expose this information to the OS (but this is not implemented in current shim).
   - The recent kernels which honor MokSBState also include support for exposing this value as  /proc/sys/kernel/moksbstate_disabled.

  Neither of these is guaranteed to be present on any given system.
  However, if present, the kernel variable should be *unconditionally*
  preferred over the efi "shadow" variable - because the kernel variable
  is immutable, whereas MokSBStateRT is just another nvram variable that
  things can overwrite (though they shouldn't).

  We have heard at least one report internally of a system where
  something other than our shim is setting the value of MokSBStateRT and
  confusing update-secureboot-policy, so this will be a priority to also
  fix in SRU.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1604873/+subscriptions

References

  Thread PreviousDate PreviousThread Next