** Changed in: linux (Ubuntu)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
** Changed in: linux (Ubuntu Yakkety)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
** Changed in: linux (Ubuntu Zesty)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
--
You received this bug
Kees - there are archive shenanigans involved in getting a signed kernel
binary, hence the separate package.
Steve - I'm not sure about the rationale for grub booting unsigned
kernels. The foundations team might be able to explain it.
--
You received this bug notification because you are a
... why aren't all the kernels just signed? Why does this need to be a
separate package at all?
I can confirm installing the -signed package fixes it for me. Where in
the kernel source does this signature effect the output of
/proc/sys/kernel/secure_boot, though? I can't find that...
--
You
Also, is there a reason there isn't at least recommends on the
corresponding -signed packages for the kernel, to try to avoid this
situation? (I realize adding a hard depends would make
building/installing test kernels more difficult.)
--
You received this bug notification because you are a
Bah, was missing the linux-signed-generic-hwe-16.04-edge package. Once
that was in place, secure boot enforcement works correctly. Not sure if
that's the cause of Kees' issue as well.
That said, making it more discoverable that (a) secure boot is not being
enforced by the kernel, (b) why it's not
I have reproduced this and can confirm it only affects 4.8 kernels. I
have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels
were enforcing it. Installing and rebooting into the linux-image-
generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything
before the kernel
And it looks like this is specific to the 4.8 kernel. 4.4 thinks secure
boot is enabled.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not enforcing module
And that must be doing something wrong, since:
sudo efivar -p -n $(efivar --list | grep SecureBoot)
shows "1"
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not
the proc handler does:
secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
this feature flag is set at boot:
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot == EFI_SECURE_BOOT) {
set_bit(EFI_SECURE_BOOT, );
Oh, and that's not set up by the bootloader, it's in
arch/x86/boot/compressed/eboot.c:
boot_params->secure_boot = get_secure_boot();
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
(Hm, dmesg WARN on IOMMU seems to think I need
910170442944e1f8674fd5ddbeeb8ccd1877ea98, but that's unrelated...)
** Attachment added: "dmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+attachment/4809482/+files/dmesg.txt
--
You received this bug notification because
$ cat /proc/sys/kernel/secure_boot
0
That seems weird. Everything else thinks it's enabled. What sets this
one (and what does it represent)?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
Kees - what is the result of 'cat /proc/sys/kernel/secure_boot' ?
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: Incomplete
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Zesty)
Status:
13 matches
Mail list logo