Public bug reported: update-secureboot-policy tries to check whether MOK's override has disabled SecureBoot state. However, since the real variable in nvram is not accessible after boot, it needs to use a proxy for this information. There are two that it tries to use: - We've specified how shim can mirror the MokSBState variable to MokSBStateRT at boot time, to expose this information to the OS (but this is not implemented in current shim). - The recent kernels which honor MokSBState also include support for exposing this value as /proc/sys/kernel/moksbstate_disabled.
Neither of these is guaranteed to be present on any given system. However, if present, the kernel variable should be *unconditionally* preferred over the efi "shadow" variable - because the kernel variable is immutable, whereas MokSBStateRT is just another nvram variable that things can overwrite (though they shouldn't). We have heard at least one report internally of a system where something other than our shim is setting the value of MokSBStateRT and confusing update-secureboot-policy, so this will be a priority to also fix in SRU. ** Affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Affects: shim-signed (Ubuntu Precise) Importance: Undecided Status: New ** Affects: shim-signed (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: shim-signed (Ubuntu Wily) Importance: Undecided Status: New ** Affects: shim-signed (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: shim-signed (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: shim-signed (Ubuntu Precise) Importance: Undecided Status: New ** Also affects: shim-signed (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: shim-signed (Ubuntu Wily) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1604873 Title: MokSBStateRT strictly inferior to /proc/sys/kernel/moksbstate_disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1604873/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs