[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
** Changed in: linux (Ubuntu) Assignee: Tim Gardner (timg-tpi) => (unassigned) ** Changed in: linux (Ubuntu Yakkety) Assignee: Tim Gardner (timg-tpi) => (unassigned) ** Changed in: linux (Ubuntu Zesty) Assignee: Tim Gardner (timg-tpi) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
Kees - there are archive shenanigans involved in getting a signed kernel binary, hence the separate package. Steve - I'm not sure about the rationale for grub booting unsigned kernels. The foundations team might be able to explain it. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
... why aren't all the kernels just signed? Why does this need to be a separate package at all? I can confirm installing the -signed package fixes it for me. Where in the kernel source does this signature effect the output of /proc/sys/kernel/secure_boot, though? I can't find that... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
Also, is there a reason there isn't at least recommends on the corresponding -signed packages for the kernel, to try to avoid this situation? (I realize adding a hard depends would make building/installing test kernels more difficult.) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
Bah, was missing the linux-signed-generic-hwe-16.04-edge package. Once that was in place, secure boot enforcement works correctly. Not sure if that's the cause of Kees' issue as well. That said, making it more discoverable that (a) secure boot is not being enforced by the kernel, (b) why it's not being enforced, and (c) shouldn't a boot stack that's enforcing secure boot not permit an unsigned kernel to boot? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
I have reproduced this and can confirm it only affects 4.8 kernels. I have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels were enforcing it. Installing and rebooting into the linux-image- generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything before the kernel thinks secure boot is enabled, but the kernel does not and freely loads unsigned modules. $ cat /proc/version_signature Ubuntu 4.4.0-59.80-generic 4.4.35 $ mokutil --sb-state SecureBoot enabled $ sysctl kernel.secure_boot kernel.secure_boot = 1 $ cat /proc/version_signature Ubuntu 4.8.0-34.36~16.04.1-generic 4.8.11 $ mokutil --sb-state SecureBoot enabled $ sysctl kernel.secure_boot kernel.secure_boot = 0 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
the proc handler does: secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT); this feature flag is set at boot: #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE if (boot_params.secure_boot == EFI_SECURE_BOOT) { set_bit(EFI_SECURE_BOOT, ); enforce_signed_modules(); pr_info("Secure boot enabled\n"); } And since I don't see the pr_info, nor the flag, nor the module enforcement, the boot_params is probably missing? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
And that must be doing something wrong, since: sudo efivar -p -n $(efivar --list | grep SecureBoot) shows "1" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
And it looks like this is specific to the 4.8 kernel. 4.4 thinks secure boot is enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
Oh, and that's not set up by the bootloader, it's in arch/x86/boot/compressed/eboot.c: boot_params->secure_boot = get_secure_boot(); -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
(Hm, dmesg WARN on IOMMU seems to think I need 910170442944e1f8674fd5ddbeeb8ccd1877ea98, but that's unrelated...) ** Attachment added: "dmesg.txt" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+attachment/4809482/+files/dmesg.txt -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
$ cat /proc/sys/kernel/secure_boot 0 That seems weird. Everything else thinks it's enabled. What sets this one (and what does it represent)? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1658255] Re: Kernel not enforcing module signatures under SecureBoot
Kees - what is the result of 'cat /proc/sys/kernel/secure_boot' ? ** Also affects: linux (Ubuntu Zesty) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Zesty) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Zesty) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Yakkety) Status: New => In Progress ** Changed in: linux (Ubuntu Yakkety) Assignee: (unassigned) => Tim Gardner (timg-tpi) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658255 Title: Kernel not enforcing module signatures under SecureBoot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs