enable config for fixing 5.17 kernel won't load mok
Bug #1972802 reported by
Ivan Hu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
Critical
|
Yuan-Chen Cheng | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Ivan Hu | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Ivan Hu | ||
linux-oem-5.17 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Ivan Hu | ||
Kinetic |
Invalid
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Mok keys is not trusted after kernel 5.17
[Fix]
Enable the CONFIG_
"[patch] integrity: Do not load MOK and MOKx when secure boot be disabled" was added to check if secureboot enabled for trusting the MOK key
[Test]
Enroll Mok key and use it to sign kernel modules, make sure secure boot is on and load the kernel module by either modprobe or insmod.
[Where problems could occur]
Low. only affect the checking secureboot enable function.
tags: | added: oem-priority |
information type: | Proprietary → Public |
Changed in linux (Ubuntu Jammy): | |
status: | New → Invalid |
Changed in linux-oem-5.17 (Ubuntu Kinetic): | |
status: | New → Invalid |
Changed in linux (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in linux-oem-5.17 (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in linux (Ubuntu Kinetic): | |
assignee: | nobody → Ivan Hu (ivan.hu) |
Changed in linux-oem-5.17 (Ubuntu Jammy): | |
assignee: | nobody → Ivan Hu (ivan.hu) |
description: | updated |
tags: | added: originate-from-1969557 somerville |
Changed in oem-priority: | |
importance: | Undecided → Critical |
status: | New → Triaged |
Changed in linux-oem-5.17 (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
tags: | added: verification-done-jammy |
Changed in oem-priority: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
install 5.17-oem 1005 kernel from jammy-proposed, it's not fixed yet.
# grep CONFIG_ IMA_SECURE_ AND_OR_ TRUSTED_ BOOT /boot/config-5.1* 5.17.0- 1004-oem: # CONFIG_ IMA_SECURE_ AND_OR_ TRUSTED_ BOOT is not set 5.17.0- 1005-oem: # CONFIG_ IMA_SECURE_ AND_OR_ TRUSTED_ BOOT is not set
/boot/config-
/boot/config-
# grep CONFIG_ IMA_ARCH_ POLICY /boot/config-5.1* 5.17.0- 1004-oem: # CONFIG_ IMA_ARCH_ POLICY is not set 5.17.0- 1005-oem: # CONFIG_ IMA_ARCH_ POLICY is not set
/boot/config-
/boot/config-