linux: MokSBState is ignored
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Tim Gardner | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Vivid |
Fix Released
|
Undecided
|
Unassigned | ||
Wily |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Tim Gardner |
Bug Description
Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled, but contained no way of disabling secure boot for DKMS. Without these kernel patches it is possible to get your machine in an unbootable state, especially if you don't have a fallback kernel.
This patch set implements the ability to disable secure boot on demand from user space (with some password shennaigans). If one boots in secure boot mode and then installs a third party module (such as DKMS), then a dialog is displayed giving the user an option to disable secure boot, thereby also disabling module signature verification. Patch 1/2 is a scaffold patch of which only the GUID macros are actually used. The rest of the code is fenced by CONFIG_
Information regarding secure boot and signed module enforcement will appear in the kernel log thusly:
'Secure boot enabled' - normal secure boot operation with signed module enforcement.
'Secure boot MOKSBState disabled' - UEFI Secure boot state has been over-ridden by MOKSBState. No signed module enforcement.
In the absense of a 'Secure boot' string assume that secure boot is disabled or does not exist.
affects: | Ubuntu Xenial → linux (Ubuntu Xenial) |
Changed in linux (Ubuntu Xenial): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
description: | updated |
description: | updated |
description: | updated |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Vivid): | |
status: | New → In Progress |
Changed in linux (Ubuntu Wily): | |
status: | New → In Progress |
Changed in linux (Ubuntu Trusty): | |
status: | New → In Progress |
tags: |
added: verification-done-trusty removed: verification-needed-trusty |
tags: |
added: verification-done-vivid removed: verification-needed-vivid |
tags: |
added: verification-done-wily removed: verification-needed-wily |
tags: | removed: verification-done-trusty |
tags: |
added: verification-done-trusty removed: verification-needed-trusty |
Tested using a Qemu instance with ovmf installed. Looks to be doing what is expected.