linux: Enforce signed module loading when UEFI secure boot
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Undecided
|
Petro | ||
| | Trusty |
Undecided
|
Tim Gardner | ||
| | Vivid |
Undecided
|
Tim Gardner | ||
| | Wily |
Undecided
|
Tim Gardner | ||
| | Xenial |
Undecided
|
Tim Gardner | ||
| | Yakkety |
Undecided
|
Tim Gardner | ||
Bug Description
This work is authorized by an approved UOS spec and blueprint at https:/
Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_
When EFI_SECURE_
sudo mokutil --disable-
sudo reboot
| Changed in linux (Ubuntu Xenial): | |
| assignee: | nobody → Tim Gardner (timg-tpi) |
| status: | New → In Progress |
| description: | updated |
| Launchpad Janitor (janitor) wrote : | #1 |
| Changed in linux (Ubuntu Xenial): | |
| status: | In Progress → Fix Released |
| Tim Gardner (timg-tpi) wrote : | #2 |
CONFIG_
| Changed in linux (Ubuntu Xenial): | |
| status: | Fix Released → In Progress |
| Harm van Bakel (hvbakel) wrote : | #3 |
I'm not sure if this is the right venue for discussion, but ever since this change was implemented in 4.4.0-18 I have been unable to load the VirtualBox vboxdrv kernel module built through dkms (fails with 'required key not available'). I understand this is probably the intended behavior but because of a glitch in the bios or ssd firmware of my laptop the secureboot mechanism is the only way I can start Ubuntu and this has left me without an option to load custom-built modules. Is there any mechanism to sign a kernel module through dkms? How is signing of e.g. the nvidia module handled?
| Tim Gardner (timg-tpi) wrote : | #4 |
linux 4.4.0-21.37 supports MOKSBState wherein you can disable secure boot in order to allow DKMS drivers. It should be released from -proposed within a day or so. If you aren't prompted to change your secure boot setting, then you can run 'sudo mokutil --disable-
| Harm van Bakel (hvbakel) wrote : | #5 |
Thanks, I just gave this a shot after installing 4.4.0-21-generic #37 from -proposed but after running 'sudo mokutil --disable-
| Harm van Bakel (hvbakel) wrote : | #6 |
Ok, scratch that. I had an external monitor connected and didn't realize a configure dialog appeared on reboot. After disabling validation the vboxdrv module now loads as expected.
| Launchpad Janitor (janitor) wrote : | #7 |
This bug was fixed in the package linux - 4.4.0-21.37
---------------
linux (4.4.0-21.37) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1571791
* linux: MokSBState is ignored (LP: #1571691)
- SAUCE: (noup) MODSIGN: Import certificates from UEFI Secure Boot
- SAUCE: (noup) efi: Disable secure boot if shim is in insecure mode
- SAUCE: (noup) Display MOKSBState when disabled
linux (4.4.0-20.36) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1571069
* sysfs mount failure during stateful lxd snapshots (LP: #1570906)
- SAUCE: kernfs: Do not match superblock in another user namespace when
mounting
* Kernel Panic in Ubuntu 16.04 netboot installer (LP: #1570441)
- x86/topology: Fix logical package mapping
- x86/topology: Fix Intel HT disable
- x86/topology: Use total_cpus not nr_cpu_ids for logical packages
- xen/apic: Provide Xen-specific version of cpu_present_
- x86/topology: Fix AMD core count
* [regression]: Failed to call clock_adjtime(): Invalid argument
(LP: #1566465)
- ntp: Fix ADJ_SETOFFSET being used w/ ADJ_NANO
linux (4.4.0-19.35) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1570348
* CVE-2016-2847 (LP: #1554260)
- pipe: limit the per-user amount of pages allocated in pipes
* xenial kernel crash on HP BL460c G7 (qla24xx problem?) (LP: #1554003)
- SAUCE: (noup) qla2xxx: Add irq affinity notification V2
* arm64: guest hangs when ntpd is running (LP: #1549494)
- SAUCE: (noup) KVM: arm/arm64: Handle forward time correction gracefully
* linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
- [Config] CONFIG_
* s390/cpumf: Fix lpp detection (LP: #1555344)
- s390/facilities: use stfl mnemonic instead of insn magic
- s390/facilities: always use lowcore's stfle field for storing facility bits
- s390/cpumf: Fix lpp detection
* s390x kernel image needs weightwatchers (LP: #1536245)
- [Config] s390x: Use compressed kernel bzImage
* Surelock GA2 SP1: surelock02p05: Not seeing sgX devices for LUNs after
upgrading to Ubuntu 16.04 (LP: #1567581)
- Revert "UBUNTU: SAUCE: (noup) powerpc/pci: Assign fixed PHB number based on
device-tree properties"
* Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Define per_cpu chip pointer to optimize hot-path
- Revert "cpufreq: postfix policy directory with the first CPU in related_cpus"
- cpufreq: powernv: Add sysfs attributes to show throttle stats
* systemd-
- [Config] Add ib_iser to generic inclusion list
* thunderx nic performance improvements (LP: #1567093)
- net: thunderx: Set recevie buffer page usage count in bulk
- net: thunderx: Adjust nicvf structure to reduce cache misses
* fixes for thunderx nic in multiqueue mode (LP: #1567091)
- net: thunderx: Fix for multiqset not configured upon interface toggle
- net: thunderx: Fix for HW TSO not enabled for secondary qsets
- net: thund...
| Changed in linux (Ubuntu Xenial): | |
| status: | In Progress → Fix Released |
| Changed in linux (Ubuntu Trusty): | |
| assignee: | nobody → Tim Gardner (timg-tpi) |
| status: | New → In Progress |
| Changed in linux (Ubuntu Vivid): | |
| assignee: | nobody → Tim Gardner (timg-tpi) |
| status: | New → In Progress |
| Changed in linux (Ubuntu Wily): | |
| assignee: | nobody → Tim Gardner (timg-tpi) |
| status: | New → In Progress |
| Tim Gardner (timg-tpi) wrote : | #8 |
Wily tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled.
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Tim Gardner (timg-tpi) wrote : | #9 |
Vivid tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled.
| Tim Gardner (timg-tpi) wrote : | #10 |
lts-utopic and trusty tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled.
| Andy Whitcroft (apw) wrote : | #11 |
For completeness the userspace changes needed for this are being tracked under Bug #1574727.
| Kamal Mostafa (kamalmostafa) wrote : | #12 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-trusty |
| tags: | added: verification-needed-vivid |
| Kamal Mostafa (kamalmostafa) wrote : | #13 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-wily |
| Kamal Mostafa (kamalmostafa) wrote : | #14 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: |
added: verification-done-trusty removed: verification-needed-trusty |
| tags: |
added: verification-done-vivid removed: verification-needed-vivid |
| tags: |
added: verification-done-wily removed: verification-needed-wily |
| Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package linux - 4.2.0-42.49
---------------
linux (4.2.0-42.49) wily; urgency=low
[ Ben Romer ]
* Release Tracking Bug
- LP: #1597053
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
[ Upstream Kernel Changes ]
* Revert "scsi: fix soft lockup in scsi_remove_
removal"
- LP: #1592552
* ath10k: fix firmware assert in monitor mode
- LP: #1592552
* drm/i915: Fix race condition in intel_dp_
- LP: #1592552
* ath10k: fix debugfs pktlog_filter write
- LP: #1592552
* drm/i915: Call intel_dp_
- LP: #1592552
* ARM: mvebu: fix GPIO config on the Linksys boards
- LP: #1592552
* ath5k: Change led pin configuration for compaq c700 laptop
- LP: #1592552, #972604
* xfs: disallow rw remount on fs with unknown ro-compat features
- LP: #1592552
* xfs: Don't wrap growfs AGFL indexes
- LP: #1592552
* rtlwifi: rtl8723be: Add antenna select module parameter
- LP: #1592552
* rtlwifi: btcoexist: Implement antenna selection
- LP: #1592552
* drm/gma500: Fix possible out of bounds read
- LP: #1592552
* Bluetooth: vhci: fix open_timeout vs. hdev race
- LP: #1592552
* Bluetooth: vhci: purge unhandled skbs
- LP: #1592552
* cpuidle: Indicate when a device has been unregistered
- LP: #1592552
* mfd: intel_quark_
- LP: #1592552
* mfd: intel_quark_
- LP: #1592552
* [media] media: v4l2-compat-
put_
-...
| Changed in linux (Ubuntu Wily): | |
| status: | In Progress → Fix Released |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #17 |
This bug was fixed in the package linux - 3.19.0-65.73
---------------
linux (3.19.0-65.73) vivid; urgency=low
[ Ben Romer ]
* Release Tracking Bug
- LP: #1596631
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
[ Upstream Kernel Changes ]
* HID: core: prevent out-of-bound readings
- LP: #1579190
* mm: migrate dirty page without clear_page_
- LP: #1581865
- CVE-2016-3070
-- Benjamin M Romer <email address hidden> Mon, 27 Jun 2016 12:37:48 -0400
| Changed in linux (Ubuntu Vivid): | |
| status: | In Progress → Fix Released |
| status: | In Progress → Fix Released |
| Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package linux - 3.13.0-92.139
---------------
linux (3.13.0-92.139) trusty; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1597060
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1566221, #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1566221, #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1566221, #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
* SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
- LP: #1593075
* [Config] CONFIG_EFI=n for arm64
- LP: #1566221
[ Upstream Kernel Changes ]
* powerpc/tm: Abort syscalls in active transactions
- LP: #1572624
* HID: core: prevent out-of-bound readings
- LP: #1579190
* efi: Add separate 32-bit/64-bit definitions
- LP: #1566221
* x86/efi: Build our own EFI services pointer table
- LP: #1566221
* mm: migrate dirty page without clear_page_
- LP: #1581865
- CVE-2016-3070
* oom_kill: change oom_kill.c to use for_each_thread()
- LP: #1592429
* oom_kill: has_intersects_
- LP: #1592429
* oom_kill: add rcu_read_lock() into find_lock_task_mm()
- LP: #1592429
* virtio_balloon: return the amount of freed memory from leak_balloon()
- LP: #1587089
* virtio_balloon: free some memory from balloon on OOM
- LP: #1587089
* virtio_ballon: change stub of release_
- LP: #1587089
* virtio_balloon: do not change memory amount visible via /proc/meminfo
- LP: #1587089
-- Kamal Mostafa <email address hidden> Tue, 28 Jun 2016 12:40:49 -0700
| Changed in linux (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
| status: | In Progress → Fix Released |
| Changed in linux (Ubuntu Trusty): | |
| status: | Fix Released → In Progress |
| Changed in linux (Ubuntu Trusty): | |
| status: | In Progress → Fix Released |
| tags: | removed: verification-done-trusty |
| Seth Forshee (sforshee) wrote : | #21 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-trusty |
| tags: |
added: verification-done-xenial removed: verification-needed-trusty |
| tags: | added: verification-done-trusty |
| tags: | added: bot-stop-nagging |
| Changed in linux (Ubuntu): | |
| assignee: | Tim Gardner (timg-tpi) → Petro (petrolerouxubuntu) |
This bug was fixed in the package linux - 4.4.0-18.34
---------------
linux (4.4.0-18.34) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1566868
* [i915_bpo] Fix RC6 on SKL GT3 & GT4 (LP: #1564759)
- SAUCE: i915_bpo: drm/i915/skl: Fix rc6 based gpu/system hang
- SAUCE: i915_bpo: drm/i915/skl: Fix spurious gpu hang with gt3/gt4 revs
* CONFIG_
- [Config] CONFIG_
* [Feature] Memory Bandwidth Monitoring (LP: #1397880)
- perf/x86/cqm: Fix CQM handling of grouping events into a cache_group
- perf/x86/cqm: Fix CQM memory leak and notifier leak
- x86/cpufeature: Carve out X86_FEATURE_*
- Merge branch 'timers-
- x86/topology: Create logical package id
- perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init
- perf/x86/mbm: Add memory bandwidth monitoring event management
- perf/x86/mbm: Implement RMID recycling
- perf/x86/mbm: Add support for MBM counter overflow handling
* User namespace mount updates (LP: #1566505)
- SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns
- SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids
- SAUCE: fuse: Don't initialize user_id or group_id in mount options
- SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace
- SAUCE: fs: fix a posible leak of allocated superblock
* [arm64] kernel BUG at /build/
(LP: #1566518)
- arm64: Honour !PTE_WRITE in set_pte_at() for kernel mappings
- arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission
* [Feature]USB core and xHCI tasks for USB 3.1 SuperSpeedPlus (SSP) support
for Alpine Ridge on SKL (LP: #1519623)
- usb: define USB_SPEED_
- usb: set USB 3.1 roothub device speed to USB_SPEED_
- usb: show speed "10000" in sysfs for USB 3.1 SuperSpeedPlus devices
- usb: add device descriptor for usb 3.1 root hub
- usb: Support USB 3.1 extended port status request
- xhci: Make sure xhci handles USB_SPEED_
- xhci: set roothub speed to USB_SPEED_
- xhci: USB 3.1 add default Speed Attributes to SuperSpeedPlus device capability
- xhci: set slot context speed field to SuperSpeedPlus for USB 3.1 SSP devices
- usb: Add USB3.1 SuperSpeedPlus Isoc Endpoint Companion descriptor
- usb: Parse the new USB 3.1 SuperSpeedPlus Isoc endpoint companion descriptor
- usb: Add USB 3.1 Precision time measurement capability descriptor support
- xhci: refactor and cleanup endpoint initialization.
- xhci: Add SuperSpeedPlus high bandwidth isoc support to xhci endpoints
- xhci: cleanup isoc tranfers queuing code
- xhci: Support extended burst isoc TRB structure used by xhci 1.1 for USB 3.1
- SAUCE: (noup) usb: fix regression in SuperSpeed endpoint descriptor parsing
* wrong/missing permissions for device f...