2016-04-18 14:57:25 |
Tim Gardner |
bug |
|
|
added bug |
2016-04-18 14:58:07 |
Tim Gardner |
nominated for series |
|
Ubuntu Xenial |
|
2016-04-18 14:58:07 |
Tim Gardner |
bug task added |
|
Ubuntu Xenial |
|
2016-04-18 14:58:21 |
Tim Gardner |
affects |
Ubuntu Xenial |
linux (Ubuntu Xenial) |
|
2016-04-18 14:58:21 |
Tim Gardner |
linux (Ubuntu Xenial): status |
New |
In Progress |
|
2016-04-18 14:58:21 |
Tim Gardner |
linux (Ubuntu Xenial): assignee |
|
Tim Gardner (timg-tpi) |
|
2016-04-18 17:29:47 |
Tim Gardner |
description |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS. |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series. Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3 simply prints a bit more informative state information.
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist. |
|
2016-04-18 17:41:17 |
Tim Gardner |
description |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series. Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3 simply prints a bit more informative state information.
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist. |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS. Without this kernel patch it is possible to get your machine in an unbootable state, especially if you don't have a fallback kernel.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series. Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3 simply prints a bit more informative state information.
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist. |
|
2016-04-18 17:41:36 |
Tim Gardner |
description |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS. Without this kernel patch it is possible to get your machine in an unbootable state, especially if you don't have a fallback kernel.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series. Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3 simply prints a bit more informative state information.
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist. |
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS. Without these kernel patches it is possible to get your machine in an unbootable state, especially if you don't have a fallback kernel.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series. Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3 simply prints a bit more informative state information.
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist. |
|
2016-04-18 18:25:58 |
Tim Gardner |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2016-04-19 18:39:47 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2016-04-19 18:39:47 |
Launchpad Janitor |
cve linked |
|
2016-2847 |
|
2016-06-29 16:12:14 |
Kamal Mostafa |
tags |
|
verification-needed-trusty |
|
2016-06-29 16:12:37 |
Kamal Mostafa |
tags |
verification-needed-trusty |
verification-needed-trusty verification-needed-vivid |
|
2016-06-29 16:12:57 |
Kamal Mostafa |
tags |
verification-needed-trusty verification-needed-vivid |
verification-needed-trusty verification-needed-vivid verification-needed-wily |
|
2016-07-05 14:55:02 |
Tim Gardner |
nominated for series |
|
Ubuntu Wily |
|
2016-07-05 14:55:02 |
Tim Gardner |
bug task added |
|
linux (Ubuntu Wily) |
|
2016-07-05 14:55:02 |
Tim Gardner |
nominated for series |
|
Ubuntu Vivid |
|
2016-07-05 14:55:02 |
Tim Gardner |
bug task added |
|
linux (Ubuntu Vivid) |
|
2016-07-05 14:55:12 |
Tim Gardner |
linux (Ubuntu Vivid): status |
New |
In Progress |
|
2016-07-05 14:55:17 |
Tim Gardner |
linux (Ubuntu Wily): status |
New |
In Progress |
|
2016-07-05 14:56:00 |
Tim Gardner |
nominated for series |
|
Ubuntu Trusty |
|
2016-07-05 14:56:00 |
Tim Gardner |
bug task added |
|
linux (Ubuntu Trusty) |
|
2016-07-05 14:56:09 |
Tim Gardner |
linux (Ubuntu Trusty): status |
New |
In Progress |
|
2016-07-05 15:41:50 |
Tim Gardner |
tags |
verification-needed-trusty verification-needed-vivid verification-needed-wily |
verification-done-trusty verification-needed-vivid verification-needed-wily |
|
2016-07-05 16:18:45 |
Tim Gardner |
tags |
verification-done-trusty verification-needed-vivid verification-needed-wily |
verification-done-trusty verification-done-vivid verification-needed-wily |
|
2016-07-05 16:36:46 |
Tim Gardner |
tags |
verification-done-trusty verification-done-vivid verification-needed-wily |
verification-done-trusty verification-done-vivid verification-done-wily |
|
2016-07-06 17:02:03 |
Antti Teliƶ |
bug |
|
|
added subscriber Antti Teliƶ |
2016-07-14 17:02:48 |
Launchpad Janitor |
linux (Ubuntu Wily): status |
In Progress |
Fix Released |
|
2016-07-14 17:02:48 |
Launchpad Janitor |
cve linked |
|
2016-3070 |
|
2016-07-14 17:07:57 |
Launchpad Janitor |
linux (Ubuntu Vivid): status |
In Progress |
Fix Released |
|
2016-07-14 17:13:03 |
Launchpad Janitor |
linux (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
2016-08-12 17:18:56 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-security/linux-lts-wily |
|
2016-08-12 17:19:49 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-updates/linux-lts-wily |
|
2016-08-12 18:29:28 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-security/linux-lts-vivid |
|
2016-08-12 18:30:37 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/linux-lts-vivid |
|
2016-08-12 18:31:41 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-updates/linux-lts-vivid |
|
2016-10-18 15:34:40 |
Seth Forshee |
tags |
verification-done-trusty verification-done-vivid verification-done-wily |
verification-done-vivid verification-done-wily |
|
2016-10-18 16:13:06 |
Seth Forshee |
tags |
verification-done-vivid verification-done-wily |
verification-done-vivid verification-done-wily verification-needed-trusty |
|
2016-11-07 14:28:28 |
Tim Gardner |
tags |
verification-done-vivid verification-done-wily verification-needed-trusty |
verification-done-trusty verification-done-vivid verification-done-wily |
|