** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883949
Title: dkms packages generate insecure MOK, allow potential lockdown bypass Status in linux package in Ubuntu: Invalid Bug description: When the first DKMS package is installed, apt will generate a machine owner key pair in /var/lib/shim-signed/mok/ and enroll it with the shim so that the dynamically build kernel modules can be validated. A password is requested, but only to validate the public key registration on the next reboot. The private key is only protected by 0600 permissions. An attacker who can escalate to root can later use this password-less MOK.priv file to sign their own modules and bypass the lockdown protections to escalate into the kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883949/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
