Verification-done on trusty:
dkms/2.2.0.3-1.1ubuntu5.14.04.10
shim-signed/1.33.1~14.04.4
I've installed bbswitch on a test UEFI system, rebooted to disable
validation in shim; then upgraded to the new packages and could verify
that shim validation was re-enabled and a MOK was enrolled in the
firmware, as expected.
ubuntu@ubuntu:~$ dpkg -l dkms shim-signed |cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-=====================================-=========================================-============-===============================================================================
ii dkms 2.2.0.3-1.1ubuntu5.14.04.10
all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~14.04.4+13-0ubuntu2
amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo modprobe bbswitch
[sudo] password for ubuntu:
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 15.292736] audit: type=1400 audit(1550085342.906:10): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293018] audit: type=1400 audit(1550085342.906:11): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/NetworkManager/nm-dhcp-client.action" pid=1019
comm="apparmor_parser"
[ 15.293020] audit: type=1400 audit(1550085342.906:12): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293167] audit: type=1400 audit(1550085342.906:13): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=1019 comm="apparmor_parser"
[ 15.293785] audit: type=1400 audit(1550085342.906:14): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=1021
comm="apparmor_parser"
[ 15.422442] init: plymouth-upstart-bridge main process ended, respawning
[ 20.034883] random: nonblocking pool is initialized
[ 79.588877] bbswitch: version 0.7
[ 79.588891] bbswitch: Found integrated VGA device 0000:00:02.0:
\_SB_.PCI0.VID_
[ 79.588901] bbswitch: No discrete VGA device found
** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done-trusty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1748983
Title:
Generate per-machine MOK for dkms signing
Status in dkms package in Ubuntu:
Fix Released
Status in shim-signed package in Ubuntu:
Fix Released
Status in dkms source package in Trusty:
Fix Committed
Status in shim-signed source package in Trusty:
Fix Committed
Status in dkms source package in Xenial:
Fix Committed
Status in shim-signed source package in Xenial:
Fix Committed
Bug description:
[SRU Justification]
Move to using self-signed keys for signing DKMS modules, along with the
wizard / guide to make this work properly, to let third-party modules be signed
and loaded by enforcing kernels, rather than disabling Secure Boot altogether.
[Test case]
1) Install Ubuntu in UEFI mode.
2) Install bbswitch-dkms (or another -dkms package if useful on your system).
3) Follow the steps in the debconf prompts (enter a password, remember the
password for next boot).
4) Reboot; follow the steps in MokManagerL
4a) Pick Enroll MOK: add the new key, enter the password when prompted to do
so.
4b) If a dkms package was previously installed on the system (so Secure Boot
is currently disabled in shim), pick "Change Secure Boot state". Follow the
prompts to enter password characters. The option will only show up if Secure
Boot validation was found to be disabled.
5) Pick "Reboot".
6) Log in and verify that the dkms module is loaded, using "lsmod | grep
<module>".
7) Run 'modprobe <module>' to validate that the module can be loaded
explicilty.
8) Validate that there are no errors from modprobe or errors in dmesg
concerning signing keys.
[Regression potential]
If anything currently relies on Secure Boot validation being disabled in
order to correctly run with an enforcing kernel, or grub is used in enforcing
mode, custom / third-party kernels and modules may fail to load.
---
shim-signed's update-secureboot-policy should allow creating a
machine-owner key, and using this for signing kernel modules built via
DKMS. Key generation and enrolling should be made as easy as possible
for users.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
