← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #174129

[Bug 1574727] [NEW] [SRU] Enforce using signed kernels and modules on UEFI

  Thread PreviousDate PreviousThread Next 
Public bug reported:

[Rationale]
Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.

[Impact]
All our users booting in UEFI; on all supported releases.

[Test cases]
<FIXME: add more test cases>

Test cases here are separated by the components that need to be changed:

= grub2 =

Booting signed kernels:
1) Try to boot a custom kernel
2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)

Prompting on upgrade:
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot'
2) Upgrade to the new grub2 package (you may need to download the updated package beforehand)
3) Validate that grub2 prompts you to disable shim validation.

= dkms =

Prompting for dkms on install:
1) Install r8168-dkms
2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts.

Prompting for dkms on upgrade
0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot'
2) Upgrade to the new dkms package (you may need to download the updated package beforehand)
3) Validate that dkms prompts you to disable shim validation.

= shim =

Booting:
-> Validate that it allows booting grubx64.efi signed with the old key.
-> Validate that it allows booting grubx64.efi signed with the new key.

Validation toggle:
0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present;
If MokSBStateRT is preset:
1) sudo mokutil --enable-validation && sudo reboot
2) Validate that Mok asks you if you want to enable validation
Otherwise:
1) sudo mokutil --disable-validation && sudo reboot
2) Validate that Mok asks you if you want to disable validation
Finally:
3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present.
4) Run mokutil again to toggle validation back to its former state.


[Regression Potential]
Issues to watch out for:
- (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_secureboot seen and set to false)
- (dkms, on new shim) prompting unnecessarily if validation is already disabled
- (grub) not prompting on upgrade ...
- (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release.
- (grub, on new shim) prompting unecessarily ...
- (shim) failing to boot on some firmware that doesn't correctly follow specification
- (shim) failing to load a properly-signed grub
- (shim) accepting to load a badly-signed grub

** Affects: dkms (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: grub2 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: grub2-signed (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shim (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: grub2 (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: grub2-signed (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: shim (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1574727

Title:
  [SRU] Enforce using signed kernels and modules on UEFI

Status in dkms package in Ubuntu:
  New
Status in grub2 package in Ubuntu:
  New
Status in grub2-signed package in Ubuntu:
  New
Status in shim package in Ubuntu:
  New

Bug description:
  [Rationale]
  Secure Boot is good. We want to be able to validate that as much as possible of the boot process happens with signed binaries; from our shim (the part that is loaded by the EFI firmware itself), down to grub2, the kernel, and even loaded modules.

  [Impact]
  All our users booting in UEFI; on all supported releases.

  [Test cases]
  <FIXME: add more test cases>

  Test cases here are separated by the components that need to be
  changed:

  = grub2 =

  Booting signed kernels:
  1) Try to boot a custom kernel
  2) Verify that the kernel will not be loaded by grub (you should see an error message about the signature)

  Prompting on upgrade:
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && sudo reboot'
  2) Upgrade to the new grub2 package (you may need to download the updated package beforehand)
  3) Validate that grub2 prompts you to disable shim validation.

  = dkms =

  Prompting for dkms on install:
  1) Install r8168-dkms
  2) Verify that you're asked to disable shim validation, and walked through the process via debconf prompts.

  Prompting for dkms on upgrade
  0) On a system that runs a dkms module (such as r8168-dkms, rtl8812au-dkms, ndiswrapper-dkms, bbswitch-dkms, etc.)
  1) Make sure that validation is enabled and reboot: 'sudo mokutil --enable-validation && reboot'
  2) Upgrade to the new dkms package (you may need to download the updated package beforehand)
  3) Validate that dkms prompts you to disable shim validation.

  = shim =

  Booting:
  -> Validate that it allows booting grubx64.efi signed with the old key.
  -> Validate that it allows booting grubx64.efi signed with the new key.

  Validation toggle:
  0) Boot the system; verify if /sys/firmware/efi/efivars/MokSBStateRT-* is present;
  If MokSBStateRT is preset:
  1) sudo mokutil --enable-validation && sudo reboot
  2) Validate that Mok asks you if you want to enable validation
  Otherwise:
  1) sudo mokutil --disable-validation && sudo reboot
  2) Validate that Mok asks you if you want to disable validation
  Finally:
  3) Complete the process to toggle validation state, reboot, and verify whether MokSBStateRT is present.
  4) Run mokutil again to toggle validation back to its former state.

  
  [Regression Potential]
  Issues to watch out for:
  - (dkms) not prompting on upgrade of a dkms package/dkms itself if validation is currently enabled (provided debconf does not have dkms/disable_secureboot seen and set to false)
  - (dkms, on new shim) prompting unnecessarily if validation is already disabled
  - (grub) not prompting on upgrade ...
  - (grub) not prompting on upgrade across releases if validation is disabled; without the applied SRU on original release.
  - (grub, on new shim) prompting unecessarily ...
  - (shim) failing to boot on some firmware that doesn't correctly follow specification
  - (shim) failing to load a properly-signed grub
  - (shim) accepting to load a badly-signed grub

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1574727/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next