Comment 0 for bug 1604934

4.2.0-42 was built without CONFIG_MODULE_SIG_UEFI so the kernel ignores the SecureBoot certificates and the user certificates enrolled as MOKs for module signature validation, forcing the user to either disable validation in shim through mokutil or disabling SecureBoot altogether.

The current linux-lts-xenial build has CONFIG_MODULE_SIG_UEFI=y in its config file and the related symbols (load_uefi_certs, get_cert_list...) are present in System.map. On the other end, the current linux-lts-wily build lacks both:

# grep MODULE_SIG_UEFI /boot/config-4.2.0-42-generic
# grep load_uefi /boot/System.map-4.2.0-42-generic
# grep MODULE_SIG_UEFI config-4.4.0-31-generic
CONFIG_MODULE_SIG_UEFI=y
# grep load_uefi System.map-4.4.0-31-generic
ffffffff81d8431b t load_uefi_certs
ffffffff81e917d8 t __initcall_load_uefi_certs7

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-4.2.0-42-generic 4.2.0-42.49~14.04.1
ProcVersionSignature: Ubuntu 4.2.0-42.49~14.04.1-generic 4.2.8-ckt12
Uname: Linux 4.2.0-42-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
CurrentDesktop: XFCE
Date: Wed Jul 20 21:18:31 2016
InstallationDate: Installed on 2016-01-24 (178 days ago)
InstallationMedia: Xubuntu 14.04.3 LTS "Trusty Tahr" - Beta amd64 (20150805)
SourcePackage: linux-lts-wily
UpgradeStatus: No upgrade log present (probably fresh install)