group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #28529
[Bug 1748983] Re: Generate per-machine MOK for dkms signing
This bug was fixed in the package shim-signed - 1.33.1~16.04.4
---------------
shim-signed (1.33.1~16.04.4) xenial; urgency=medium
* update-secureboot-policy: (LP: #1748983)
- Backport update-secureboot-policy changes to generate a MOK and guide
users through re-enabling validation and automatically signing DKMS
modules.
* debian/shim-signed.postinst:
- When triggered, explicitly try to enroll the available MOK.
* debian/shim-signed.install, openssl.cnf: Install some default configuration
for creating our self-signed key.
* debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
* debian/templates: update templates for update-secureboot-policy changes.
* debian/control: Breaks dkms (<< 2.2.0.3-2ubuntu11.5~) since we're changing
the behavior of update-secureboot-policy.
-- Mathieu Trudel-Lapierre <cyphermox@xxxxxxxxxx> Mon, 28 Jan 2019
10:22:31 -0500
** Changed in: shim-signed (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1748983
Title:
Generate per-machine MOK for dkms signing
Status in dkms package in Ubuntu:
Fix Released
Status in shim-signed package in Ubuntu:
Fix Released
Status in dkms source package in Trusty:
Fix Released
Status in shim-signed source package in Trusty:
Fix Released
Status in dkms source package in Xenial:
Fix Committed
Status in shim-signed source package in Xenial:
Fix Released
Bug description:
[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether.
[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so.
4b) If a dkms package was previously installed on the system (so Secure Boot is currently disabled in shim), pick "Change Secure Boot state". Follow the prompts to enter password characters. The option will only show up if Secure Boot validation was found to be disabled.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>".
7) Run 'modprobe <module>' to validate that the module can be loaded explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys.
[Regression potential]
If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load.
---
shim-signed's update-secureboot-policy should allow creating a
machine-owner key, and using this for signing kernel modules built via
DKMS. Key generation and enrolling should be made as easy as possible
for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+subscriptions