kernel-packages team mailing list archive

Thread
Date

[Bug 1571691] Re: linux: MokSBState is ignored

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Tim Gardner <tim.gardner@xxxxxxxxxxxxx>
Date: Mon, 18 Apr 2016 17:29:47 -0000
Reply-to: Bug 1571691 <1571691@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
but contained no way of disabling secure boot for DKMS.
+
+ This patch set implements the ability to disable secure boot on demand
+ from user space (with some password shennaigans). If one boots in secure
+ boot mode and then installs a third party module (such as DKMS), then a
+ dialog is displayed giving the user an option to disable secure boot,
+ thereby also disabling module signature verification. Patch 1/2 is a
+ scaffold patch of which only the GUID macros are actually used. The rest
+ of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
+ enabled until a later series. Patch 2/2 is where MOKSBState is read and
+ implemented. Patch 3/3 simply prints a bit more informative state
+ information.
+
+ Information regarding secure boot and signed module enforcement will
+ appear in the kernel log thusly:
+
+ 'Secure boot enabled' - normal secure boot operation with signed module enforcement.
+ 'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
+
+ In the absense of a 'Secure boot' string assume that secure boot is
+ disabled or does not exist.

--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
linux: MokSBState is ignored

Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress

Bug description:
Ubuntu-4.4.0-20.36 was released with signed module enforcement
enabled, but contained no way of disabling secure boot for DKMS.

This patch set implements the ability to disable secure boot on demand
from user space (with some password shennaigans). If one boots in
secure boot mode and then installs a third party module (such as
DKMS), then a dialog is displayed giving the user an option to disable
secure boot, thereby also disabling module signature verification.
Patch 1/2 is a scaffold patch of which only the GUID macros are
actually used. The rest of the code is fenced by
CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
simply prints a bit more informative state information.

Information regarding secure boot and signed module enforcement will
appear in the kernel log thusly:

'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.

In the absense of a 'Secure boot' string assume that secure boot is
disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

References

[Bug 1571691] [NEW] linux: MokSBState is ignored
From: Tim Gardner, 2016-04-18