Feature request: allow use of update-secureboot-policy for non-DKMS modules

Bug #1829029 reported by Michael Thayer
This bug affects 2 people
Affects Status Importance Assigned to Milestone
shim-signed (Ubuntu)

Bug Description

Already discussed by e-mail/IRC with Mathieu. We (the VirtualBox team) would like to call update-secureboot-policy to enroll a signing key when we install our host kernel modules on Ubuntu/Debian systems. However, currently the tool exits if no DKMS modules are found. This patch would add a "--force" parameter which would let us call the tool interactively as part of our installation scripts even if DKMS was not installed. Not sure how or if we should handle the new DKMS list in non-interactive mode.

ProblemType: Bug
DistroRelease: Ubuntu 19.04
Package: shim-signed 1.39+15+1533136590.3beb971-0ubuntu1
ProcVersionSignature: Ubuntu 5.0.0-13.14-generic 5.0.6
Uname: Linux 5.0.0-13-generic x86_64
.proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] Нет такого файла или каталога: '/proc/sys/kernel/moksbstate_disabled'
ApportVersion: 2.20.10-0ubuntu27
Architecture: amd64
CasperVersion: 1.405
CurrentDesktop: ubuntu:GNOME
Date: Tue May 14 16:56:38 2019
 Mai 13 11:05:20 michael-ThinkPad-T470 kernel: efi: EFI v2.50 by Lenovo
 Mai 13 11:05:20 michael-ThinkPad-T470 kernel: efi: SMBIOS=0x9a6d8000 SMBIOS 3.0=0x9a6d5000 ACPI=0x9b5fe000 ACPI 2.0=0x9b5fe014 ESRT=0x9a5a2000 MEMATTR=0x9532e298 TPMEventLog=0x8e96d018
 Mai 13 11:05:20 michael-ThinkPad-T470 kernel: secureboot: Secure boot enabled
 Mai 13 11:05:20 michael-ThinkPad-T470 kernel: esrt: Reserving ESRT space from 0x000000009a5a2000 to 0x000000009a5a2088.
 Mai 13 11:05:21 michael-ThinkPad-T470 kernel: Bluetooth: hci0: Secure boot is enabled
InstallationDate: Installed on 2018-06-12 (335 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
LiveMediaBuild: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
SecureBoot: 6 0 0 0 1
SourcePackage: shim-signed
UpgradeStatus: Upgraded to disco on 2019-03-26 (49 days ago)

Revision history for this message
Michael Thayer (michael-thayer) wrote :
Revision history for this message
Michael Thayer (michael-thayer) wrote :
description: updated
Revision history for this message
Michael Thayer (michael-thayer) wrote :

By the way, I know that we could get this by just using DKMS for our modules (and we could still do that if we absolutely had to), but we prefer not to. The reason for this is that not all distributions that we target support DKMS, so we still need to provide our home-grown DKMS replacement. We used to support DKMS as well, but because DKMS occasionally went wrong on users's systems, often enough to be cause us additional support work, we decided to drop it.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "First suggested patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Changed in shim-signed (Ubuntu):
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.