subject:"\[Kernel\-packages\] \[Bug 1571691\] Re\: linux\: MokSBState is ignored"

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-11-07 Thread Tim Gardner

** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-10-18 Thread Seth Forshee

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-10-18 Thread Seth Forshee

** Tags removed: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-14 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 3.13.0-92.139

---
linux (3.13.0-92.139) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
- LP: #1597060

  [ Josh Boyer ]

  * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
  * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
  * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1566221, #1571691
  * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1566221, #1571691

  [ Matthew Garrett ]

  * SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
  * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
  * SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
  * SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
  * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
  * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
  * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
  * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
  * SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221

  [ Stefan Bader ]

  * [Config] Add pm80xx scsi driver to d-i
- LP: #1595628

  [ Tim Gardner ]

  * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
  * SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1566221, #1571691
  * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
  * SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
- LP: #1593075
  * [Config] CONFIG_EFI=n for arm64
- LP: #1566221

  [ Upstream Kernel Changes ]

  * powerpc/tm: Abort syscalls in active transactions
- LP: #1572624
  * HID: core: prevent out-of-bound readings
- LP: #1579190
  * efi: Add separate 32-bit/64-bit definitions
- LP: #1566221
  * x86/efi: Build our own EFI services pointer table
- LP: #1566221
  * mm: migrate dirty page without clear_page_dirty_for_io etc
- LP: #1581865
- CVE-2016-3070
  * oom_kill: change oom_kill.c to use for_each_thread()
- LP: #1592429
  * oom_kill: has_intersects_mems_allowed() needs rcu_read_lock()
- LP: #1592429
  * oom_kill: add rcu_read_lock() into find_lock_task_mm()
- LP: #1592429
  * virtio_balloon: return the amount of freed memory from leak_balloon()
- LP: #1587089
  * virtio_balloon: free some memory from balloon on OOM
- LP: #1587089
  * virtio_ballon: change stub of release_pages_by_pfn
- LP: #1587089
  * virtio_balloon: do not change memory amount visible via /proc/meminfo
- LP: #1587089

 -- Kamal Mostafa   Tue, 28 Jun 2016 12:40:49 -0700

** Changed in: linux (Ubuntu Trusty)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-14 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 3.19.0-65.73

---
linux (3.19.0-65.73) vivid; urgency=low

  [ Ben Romer ]

  * Release Tracking Bug
- LP: #1596631

  [ Josh Boyer ]

  * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
  * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
  * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
  * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691

  [ Matthew Garrett ]

  * SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
  * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
  * SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
  * SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
  * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
  * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
  * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
  * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
  * SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221

  [ Stefan Bader ]

  * [Config] Add pm80xx scsi driver to d-i
- LP: #1595628

  [ Tim Gardner ]

  * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
  * SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
  * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075

  [ Upstream Kernel Changes ]

  * HID: core: prevent out-of-bound readings
- LP: #1579190
  * mm: migrate dirty page without clear_page_dirty_for_io etc
- LP: #1581865
- CVE-2016-3070

 -- Benjamin M Romer   Mon, 27 Jun 2016
12:37:48 -0400

** Changed in: linux (Ubuntu Vivid)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-14 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.2.0-42.49

---
linux (4.2.0-42.49) wily; urgency=low

  [ Ben Romer ]

  * Release Tracking Bug
- LP: #1597053

  [ Josh Boyer ]

  * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
  * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
  * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
  * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691

  [ Matthew Garrett ]

  * SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
  * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
  * SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
  * SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
  * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
  * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
  * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
  * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
  * SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221

  [ Stefan Bader ]

  * [Config] Add pm80xx scsi driver to d-i
- LP: #1595628

  [ Tim Gardner ]

  * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
  * SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
  * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075

  [ Upstream Kernel Changes ]

  * Revert "scsi: fix soft lockup in scsi_remove_target() on module
removal"
- LP: #1592552
  * ath10k: fix firmware assert in monitor mode
- LP: #1592552
  * drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
- LP: #1592552
  * ath10k: fix debugfs pktlog_filter write
- LP: #1592552
  * drm/i915: Call intel_dp_mst_resume() before resuming displays
- LP: #1592552
  * ARM: mvebu: fix GPIO config on the Linksys boards
- LP: #1592552
  * ath5k: Change led pin configuration for compaq c700 laptop
- LP: #1592552, #972604
  * xfs: disallow rw remount on fs with unknown ro-compat features
- LP: #1592552
  * xfs: Don't wrap growfs AGFL indexes
- LP: #1592552
  * rtlwifi: rtl8723be: Add antenna select module parameter
- LP: #1592552
  * rtlwifi: btcoexist: Implement antenna selection
- LP: #1592552
  * drm/gma500: Fix possible out of bounds read
- LP: #1592552
  * Bluetooth: vhci: fix open_timeout vs. hdev race
- LP: #1592552
  * Bluetooth: vhci: purge unhandled skbs
- LP: #1592552
  * cpuidle: Indicate when a device has been unregistered
- LP: #1592552
  * mfd: intel_quark_i2c_gpio: Use clkdev_create()
- LP: #1592552
  * mfd: intel_quark_i2c_gpio: Remove clock tree on error path
- LP: #1592552
  * [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in
put_v4l2_create32
- LP: #1592552
  * scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
- LP: #1592552
  * drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C
- LP: #1592552
  * usb: f_mass_storage: test whether thread is running before starting
another
- LP: #1592552
  * hwmon: (ads7828) Enable internal reference
- LP: #1592552
  * ath10k: fix rx_channel during hw reconfigure
- LP: #1592552
  * Bluetooth: vhci: Fix race at creating hci device
- LP: #1592552
  * powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
- LP: #1592552
  * PM / Runtime: Fix error path in pm_runtime_force_resume()
- LP: #1592552
  * crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
- LP: #1592552
  * ath9k: Add a module parameter to invert LED polarity.
- LP: #1592552
  * ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- LP: #1592552
  * pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
- LP: #1592552
  * btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
btrfs_ioctl
- LP: #1592552
  * serial: 8250_pci: fix divide error bug if baud rate is 0
- LP: #1592552
  * TTY: n_gsm, fix false positive WARN_ON
- LP: #1592552
  * staging: comedi: das1800: fix possible NULL dereference
- LP: #1592552
  * arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
- LP: #1592552
  * KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
- LP: #1592552
  * aacraid: Relinquish CPU during timeout wait
- LP: #1592552
  * aacraid: Fix for aac_command_thread hang
- LP: #1592552
  * aacraid: Fix for KDUMP driver hang
- LP: #1592552
  * ext4: fix hang when processing corrupted orphaned inode list
- LP: #1592552
  *

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-05 Thread Tim Gardner

** Tags removed: verification-needed-wily
** Tags added: verification-done-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux source package in Wily:
  In Progress
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-05 Thread Tim Gardner

** Tags removed: verification-needed-vivid
** Tags added: verification-done-vivid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux source package in Wily:
  In Progress
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-05 Thread Tim Gardner

** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux source package in Wily:
  In Progress
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-07-05 Thread Tim Gardner

** Also affects: linux (Ubuntu Wily)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Vivid)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Vivid)
   Status: New => In Progress

** Changed in: linux (Ubuntu Wily)
   Status: New => In Progress

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Trusty)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Vivid:
  In Progress
Status in linux source package in Wily:
  In Progress
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-06-29 Thread Kamal Mostafa

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-06-29 Thread Kamal Mostafa

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-wily

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-06-29 Thread Kamal Mostafa

This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

** Tags added: verification-needed-vivid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-06-09 Thread Vdragon

@adubinsky
Make sure you have efivarfs mounted read-write and the mokutil command is run 
with root permission.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-05-24 Thread Aleksandr Dubinsky

`mokutil --disable-validation` doesn't work for me. It gave the same
"Failed to request new MokSB state" message, but upon reboot I did not
get any prompt to re-enter the password. Had to disable secureboot in
the bios.

Why was this even enabled when Canonical-provided drivers like
nvidia-361 don't have signatures? Ridiculous.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-05-03 Thread Tim Gardner

Yes, that message indicates that your kernel is _not_ in secure boot
mode, i.e., it _will_ load any (appropriately compiled) module.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-28 Thread Pavel Rojtberg

re-read the initial description.
So if I get "[0.00] Secure boot MOKSBState disabled", this is exactly 
what I want?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-28 Thread Pavel Rojtberg

1. asks for a password
2. Setting SB State Failed
3. nothing says I should reboot
4. upon reboot configuration screen pops up and asks random characters from the 
password entered before
5. allows me to disable verification

in case the above is the correct user story, I have the following
remark:

this seems to disable all verification after shim. Before the change the kernel 
was still verified and only the the modules were not.
Therefore I would say things were more secure before.

Is it possible to just disable signed module enforcement again?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-23 Thread Tim Gardner

Try 'sudo apt-get install mokutil; sudo mokutil --disable-validation'

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-23 Thread Pavel Rojtberg

I have issues with this on trusty. 
The log says "Secure boot enabled" and consequently the nvidia DKMS module can 
not be loaded.

At which point should I have been asked to select the secure boot
behavior?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-19 Thread Launchpad Bug Tracker

This bug was fixed in the package linux - 4.4.0-21.37

---
linux (4.4.0-21.37) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1571791

  * linux: MokSBState is ignored (LP: #1571691)
- SAUCE: (noup) MODSIGN: Import certificates from UEFI Secure Boot
- SAUCE: (noup) efi: Disable secure boot if shim is in insecure mode
- SAUCE: (noup) Display MOKSBState when disabled

linux (4.4.0-20.36) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1571069

  * sysfs mount failure during stateful lxd snapshots (LP: #1570906)
- SAUCE: kernfs: Do not match superblock in another user namespace when
  mounting

  * Kernel Panic in Ubuntu 16.04 netboot installer (LP: #1570441)
- x86/topology: Fix logical package mapping
- x86/topology: Fix Intel HT disable
- x86/topology: Use total_cpus not nr_cpu_ids for logical packages
- xen/apic: Provide Xen-specific version of cpu_present_to_apicid APIC op
- x86/topology: Fix AMD core count

  * [regression]: Failed to call clock_adjtime(): Invalid argument
(LP: #1566465)
- ntp: Fix ADJ_SETOFFSET being used w/ ADJ_NANO

linux (4.4.0-19.35) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
- LP: #1570348

  * CVE-2016-2847 (LP: #1554260)
- pipe: limit the per-user amount of pages allocated in pipes

  * xenial kernel crash on HP BL460c G7 (qla24xx problem?) (LP: #1554003)
- SAUCE: (noup) qla2xxx: Add irq affinity notification V2

  * arm64: guest hangs when ntpd is running (LP: #1549494)
- SAUCE: (noup) KVM: arm/arm64: Handle forward time correction gracefully

  * linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
- [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y

  * s390/cpumf: Fix lpp detection (LP: #1555344)
- s390/facilities: use stfl mnemonic instead of insn magic
- s390/facilities: always use lowcore's stfle field for storing facility 
bits
- s390/cpumf: Fix lpp detection

  * s390x kernel image needs weightwatchers (LP: #1536245)
- [Config] s390x: Use compressed kernel bzImage

  * Surelock GA2 SP1: surelock02p05: Not seeing sgX devices for LUNs after
upgrading to Ubuntu 16.04 (LP: #1567581)
- Revert "UBUNTU: SAUCE: (noup) powerpc/pci: Assign fixed PHB number based 
on
  device-tree properties"

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Define per_cpu chip pointer to optimize hot-path
- Revert "cpufreq: postfix policy directory with the first CPU in 
related_cpus"
- cpufreq: powernv: Add sysfs attributes to show throttle stats

  * systemd-modules-load.service: Failing due to missing module 'ib_iser' (LP: 
#1566468)
- [Config] Add ib_iser to generic inclusion list

  * thunderx nic performance improvements (LP: #1567093)
- net: thunderx: Set recevie buffer page usage count in bulk
- net: thunderx: Adjust nicvf structure to reduce cache misses

  * fixes for thunderx nic in multiqueue mode (LP: #1567091)
- net: thunderx: Fix for multiqset not configured upon interface toggle
- net: thunderx: Fix for HW TSO not enabled for secondary qsets
- net: thunderx: Fix receive packet stats

  * Miscellaneous Ubuntu changes
- [Config] updateconfigs after CONFIG_DRM_I915_BPO_PRELIMINARY_HW_SUPPORT=n

  * Miscellaneous upstream changes (LP: #1564901)
- Input: xpad - correctly handle concurrent LED and FF requests

 -- Tim Gardner   Mon, 18 Apr 2016 07:00:22
-0600

** Changed in: linux (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2847

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-18 Thread Tim Gardner

** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-18 Thread Tim Gardner

Tested using a Qemu instance with ovmf installed. Looks to be doing what
is expected.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  In Progress

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-18 Thread Tim Gardner

** Description changed:

  Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
- but contained no way of disabling secure boot for DKMS.
+ but contained no way of disabling secure boot for DKMS. Without this
+ kernel patch it is possible to get your machine in an unbootable state,
+ especially if you don't have a fallback kernel.
  
  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in secure
  boot mode and then installs a third party module (such as DKMS), then a
  dialog is displayed giving the user an option to disable secure boot,
  thereby also disabling module signature verification. Patch 1/2 is a
  scaffold patch of which only the GUID macros are actually used. The rest
  of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
  enabled until a later series. Patch 2/2 is where MOKSBState is read and
  implemented. Patch 3/3 simply prints a bit more informative state
  information.
  
  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:
  
  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.
  
  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

** Description changed:

  Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
- but contained no way of disabling secure boot for DKMS. Without this
- kernel patch it is possible to get your machine in an unbootable state,
- especially if you don't have a fallback kernel.
+ but contained no way of disabling secure boot for DKMS. Without these
+ kernel patches it is possible to get your machine in an unbootable
+ state, especially if you don't have a fallback kernel.
  
  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in secure
  boot mode and then installs a third party module (such as DKMS), then a
  dialog is displayed giving the user an option to disable secure boot,
  thereby also disabling module signature verification. Patch 1/2 is a
  scaffold patch of which only the GUID macros are actually used. The rest
  of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
  enabled until a later series. Patch 2/2 is where MOKSBState is read and
  implemented. Patch 3/3 simply prints a bit more informative state
  information.
  
  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:
  
  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.
  
  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  In Progress

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.
  Without these kernel patches it is possible to get your machine in an
  unbootable state, especially if you don't have a fallback kernel.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe :

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

2016-04-18 Thread Tim Gardner

** Description changed:

  Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
  but contained no way of disabling secure boot for DKMS.
+ 
+ This patch set implements the ability to disable secure boot on demand
+ from user space (with some password shennaigans). If one boots in secure
+ boot mode and then installs a third party module (such as DKMS), then a
+ dialog is displayed giving the user an option to disable secure boot,
+ thereby also disabling module signature verification. Patch 1/2 is a
+ scaffold patch of which only the GUID macros are actually used. The rest
+ of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
+ enabled until a later series. Patch 2/2 is where MOKSBState is read and
+ implemented. Patch 3/3 simply prints a bit more informative state
+ information.
+ 
+ Information regarding secure boot and signed module enforcement will
+ appear in the kernel log thusly:
+ 
+ 'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
+ 'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.
+ 
+ In the absense of a 'Secure boot' string assume that secure boot is
+ disabled or does not exist.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Xenial:
  In Progress

Bug description:
  Ubuntu-4.4.0-20.36 was released with signed module enforcement
  enabled, but contained no way of disabling secure boot for DKMS.

  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in
  secure boot mode and then installs a third party module (such as
  DKMS), then a dialog is displayed giving the user an option to disable
  secure boot, thereby also disabling module signature verification.
  Patch 1/2 is a scaffold patch of which only the GUID macros are
  actually used. The rest of the code is fenced by
  CONFIG_MODULE_SIG_UEFI which will not be enabled until a later series.
  Patch 2/2 is where MOKSBState is read and implemented. Patch 3/3
  simply prints a bit more informative state information.

  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:

  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.

  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

[Kernel-packages] [Bug 1571691] Re: linux: MokSBState is ignored

25 matches

Site Navigation

Mail list logo

Footer information