← Back to team overview

kernel-packages team mailing list archive

[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot

 

Wily tested in QEMU/OVMF with signed kernel, with and without MokSBState
enabled.

** Description changed:

  Add code to implement secure boot checks. Unsigned or incorrectly signed
  modules will continue to install while tainting the kernel _until_
  EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
+ 
+ When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
+ platforms booting in secure boot mode with a DKMS dependency is to
+ disable secure boot using mokutils:
+ 
+ sudo mokutil --disable-validation
+ sudo reboot

** Description changed:

  Add code to implement secure boot checks. Unsigned or incorrectly signed
  modules will continue to install while tainting the kernel _until_
  EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
  
  When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
  platforms booting in secure boot mode with a DKMS dependency is to
- disable secure boot using mokutils:
+ disable secure boot using mokutil:
  
  sudo mokutil --disable-validation
  sudo reboot

** Description changed:

+ This work is authorized by an approved UOS spec at
+ https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
+ 
  Add code to implement secure boot checks. Unsigned or incorrectly signed
  modules will continue to install while tainting the kernel _until_
  EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
  
  When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
  platforms booting in secure boot mode with a DKMS dependency is to
  disable secure boot using mokutil:
  
  sudo mokutil --disable-validation
  sudo reboot

** Description changed:

- This work is authorized by an approved UOS spec at
+ This work is authorized by an approved UOS spec and blueprint at
  https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
  
  Add code to implement secure boot checks. Unsigned or incorrectly signed
  modules will continue to install while tainting the kernel _until_
  EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
  
  When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
  platforms booting in secure boot mode with a DKMS dependency is to
  disable secure boot using mokutil:
  
  sudo mokutil --disable-validation
  sudo reboot

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1566221

Title:
  linux: Enforce signed module loading when UEFI secure boot

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux source package in Wily:
  In Progress
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released

Bug description:
  This work is authorized by an approved UOS spec and blueprint at
  https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot

  Add code to implement secure boot checks. Unsigned or incorrectly
  signed modules will continue to install while tainting the kernel
  _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled.

  When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse
  for platforms booting in secure boot mode with a DKMS dependency is to
  disable secure boot using mokutil:

  sudo mokutil --disable-validation
  sudo reboot

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions


References