kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #175190
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
Wily tested in QEMU/OVMF with signed kernel, with and without MokSBState
enabled.
** Description changed:
Add code to implement secure boot checks. Unsigned or incorrectly signed
modules will continue to install while tainting the kernel _until_
EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
+
+ When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
+ platforms booting in secure boot mode with a DKMS dependency is to
+ disable secure boot using mokutils:
+
+ sudo mokutil --disable-validation
+ sudo reboot
** Description changed:
Add code to implement secure boot checks. Unsigned or incorrectly signed
modules will continue to install while tainting the kernel _until_
EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
platforms booting in secure boot mode with a DKMS dependency is to
- disable secure boot using mokutils:
+ disable secure boot using mokutil:
sudo mokutil --disable-validation
sudo reboot
** Description changed:
+ This work is authorized by an approved UOS spec at
+ https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
+
Add code to implement secure boot checks. Unsigned or incorrectly signed
modules will continue to install while tainting the kernel _until_
EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
platforms booting in secure boot mode with a DKMS dependency is to
disable secure boot using mokutil:
sudo mokutil --disable-validation
sudo reboot
** Description changed:
- This work is authorized by an approved UOS spec at
+ This work is authorized by an approved UOS spec and blueprint at
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
Add code to implement secure boot checks. Unsigned or incorrectly signed
modules will continue to install while tainting the kernel _until_
EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for
platforms booting in secure boot mode with a DKMS dependency is to
disable secure boot using mokutil:
sudo mokutil --disable-validation
sudo reboot
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1566221
Title:
linux: Enforce signed module loading when UEFI secure boot
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
In Progress
Status in linux source package in Vivid:
In Progress
Status in linux source package in Wily:
In Progress
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Bug description:
This work is authorized by an approved UOS spec and blueprint at
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot
Add code to implement secure boot checks. Unsigned or incorrectly
signed modules will continue to install while tainting the kernel
_until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled.
When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse
for platforms booting in secure boot mode with a DKMS dependency is to
disable secure boot using mokutil:
sudo mokutil --disable-validation
sudo reboot
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions
References