MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Precise |
Fix Released
|
High
|
Unassigned | ||
Trusty |
Fix Released
|
High
|
Unassigned | ||
Wily |
Fix Released
|
High
|
Unassigned | ||
Xenial |
Fix Released
|
High
|
Unassigned |
Bug Description
[SRU Justification]
In some cases, incorrect locally-set EFI variables can prevent the shim-signed package from detecting that SecureBoot is active on the system. As a result, the user will not be prompted to disable SecureBoot, and will be left with non-functional dkms modules after reboot to the new kernel.
[Test case]
1. Install Ubuntu on a system (or VM) with SecureBoot enabled.
2. As root, run "printf '\x07\x00\
3. Install shim-signed from -updates.
4. Install the dahdi-dkms package.
5. Confirm that you are not prompted to disable secureboot.
6. Install shim-signed from -proposed.
7. Confirm that you *are* prompted to disable secureboot.
8. Run 'sudo rm /sys/firmware/
[Regression potential]
Since /proc/sys/
update-
- We've specified how shim can mirror the MokSBState variable to MokSBStateRT at boot time, to expose this information to the OS (but this is not implemented in current shim).
- The recent kernels which honor MokSBState also include support for exposing this value as /proc/sys/
Neither of these is guaranteed to be present on any given system. However, if present, the kernel variable should be *unconditionally* preferred over the efi "shadow" variable - because the kernel variable is immutable, whereas MokSBStateRT is just another nvram variable that things can overwrite (though they shouldn't).
We have heard at least one report internally of a system where something other than our shim is setting the value of MokSBStateRT and confusing update-
Related branches
description: | updated |
description: | updated |
description: | updated |
Changed in shim-signed (Ubuntu): | |
importance: | Undecided → High |
Changed in shim-signed (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in shim-signed (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in shim-signed (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in shim-signed (Ubuntu Xenial): | |
importance: | Undecided → High |
tags: | added: verification-done-trusty |
tags: | removed: verification-needed |
tags: | added: verification-needed-precise verification-needed-wily verification-needed-xenial |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
tags: |
added: verification-done-wily removed: verification-needed-wily |
tags: |
added: verification-done-precise removed: verification-needed-precise |
tags: |
added: verification-done removed: verification-done-precise verification-done-trusty verification-done-wily verification-done-xenial |
This bug was fixed in the package shim-signed - 1.18
---------------
shim-signed (1.18) yakkety; urgency=medium
* update- secureboot- policy: If /proc/sys/ kernel/ moksbstate_ disabled is
present, prefer this unconditionally over MokSBStateRT. LP: #1604873.
-- Steve Langasek <email address hidden> Wed, 20 Jul 2016 08:31:17 -0700