[Bug 1604873] [NEW] MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled

Wed, 20 Jul 2016 08:56:28 -0700 

Public bug reported:

update-secureboot-policy tries to check whether MOK's override has disabled 
SecureBoot state.  However, since the real variable in nvram is not accessible 
after boot, it needs to use a proxy for this information.  There are two that 
it tries to use:
 - We've specified how shim can mirror the MokSBState variable to MokSBStateRT 
at boot time, to expose this information to the OS (but this is not implemented 
in current shim).
 - The recent kernels which honor MokSBState also include support for exposing 
this value as  /proc/sys/kernel/moksbstate_disabled.

Neither of these is guaranteed to be present on any given system.
However, if present, the kernel variable should be *unconditionally*
preferred over the efi "shadow" variable - because the kernel variable
is immutable, whereas MokSBStateRT is just another nvram variable that
things can overwrite (though they shouldn't).

We have heard at least one report internally of a system where something
other than our shim is setting the value of MokSBStateRT and confusing
update-secureboot-policy, so this will be a priority to also fix in SRU.

** Affects: shim-signed (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Wily)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Also affects: shim-signed (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: shim-signed (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: shim-signed (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: shim-signed (Ubuntu Wily)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1604873

Title:
  MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1604873/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to