the proc handler does:
secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
this feature flag is set at boot:
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot == EFI_SECURE_BOOT) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_signed_modules();
pr_info("Secure boot enabled\n");
}
And since I don't see the pr_info, nor the flag, nor the module
enforcement, the boot_params is probably missing?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not enforcing module signatures under SecureBoot
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Yakkety:
In Progress
Status in linux source package in Zesty:
In Progress
Bug description:
$ sudo mokutil --sbstate
SecureBoot enabled
$ cat /proc/sys/kernel/moksbstate_disabled
0
$ sudo insmod ./hello.ko
$ echo $?
0
$ dmesg | grep Hello
[00112.530866] Hello, world!
$ strings /lib/modules/$(uname -r)/kernel/lib/test_module.ko | grep signature
~Module signature appended~
$ strings hello.ko | grep signature
$ uname -r
4.8.0-34-generic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
