[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Changed in: linux (Ubuntu) Assignee: Tim Gardner (timg-tpi) => Petro (petrolerouxubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags added: bot-stop-nagging -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags removed: verification-needed-trusty ** Tags added: verification-done-xenial ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags removed: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Changed in: linux (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Changed in: linux (Ubuntu Trusty) Status: Fix Released => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 3.13.0-92.139 --- linux (3.13.0-92.139) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1597060 [ Josh Boyer ] * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted - LP: #1566221 * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - LP: #1566221 * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot - LP: #1566221, #1571691 * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode - LP: #1566221, #1571691 [ Matthew Garrett ] * SAUCE: UEFI: Add secure_modules() call - LP: #1566221 * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled - LP: #1566221 * SAUCE: UEFI: x86: Lock down IO port access when module security is enabled - LP: #1566221 * SAUCE: UEFI: ACPI: Limit access to custom_method - LP: #1566221 * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted - LP: #1566221 * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions - LP: #1566221 * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode - LP: #1566221 [ Stefan Bader ] * [Config] Add pm80xx scsi driver to d-i - LP: #1595628 [ Tim Gardner ] * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y * SAUCE: UEFI: Display MOKSBState when disabled - LP: #1566221, #1571691 * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl - LP: #1593075 * SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility - LP: #1593075 * [Config] CONFIG_EFI=n for arm64 - LP: #1566221 [ Upstream Kernel Changes ] * powerpc/tm: Abort syscalls in active transactions - LP: #1572624 * HID: core: prevent out-of-bound readings - LP: #1579190 * efi: Add separate 32-bit/64-bit definitions - LP: #1566221 * x86/efi: Build our own EFI services pointer table - LP: #1566221 * mm: migrate dirty page without clear_page_dirty_for_io etc - LP: #1581865 - CVE-2016-3070 * oom_kill: change oom_kill.c to use for_each_thread() - LP: #1592429 * oom_kill: has_intersects_mems_allowed() needs rcu_read_lock() - LP: #1592429 * oom_kill: add rcu_read_lock() into find_lock_task_mm() - LP: #1592429 * virtio_balloon: return the amount of freed memory from leak_balloon() - LP: #1587089 * virtio_balloon: free some memory from balloon on OOM - LP: #1587089 * virtio_ballon: change stub of release_pages_by_pfn - LP: #1587089 * virtio_balloon: do not change memory amount visible via /proc/meminfo - LP: #1587089 -- Kamal Mostafa Tue, 28 Jun 2016 12:40:49 -0700 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 3.13.0-92.139 --- linux (3.13.0-92.139) trusty; urgency=low [ Kamal Mostafa ] * Release Tracking Bug - LP: #1597060 [ Josh Boyer ] * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted - LP: #1566221 * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - LP: #1566221 * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot - LP: #1566221, #1571691 * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode - LP: #1566221, #1571691 [ Matthew Garrett ] * SAUCE: UEFI: Add secure_modules() call - LP: #1566221 * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled - LP: #1566221 * SAUCE: UEFI: x86: Lock down IO port access when module security is enabled - LP: #1566221 * SAUCE: UEFI: ACPI: Limit access to custom_method - LP: #1566221 * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted - LP: #1566221 * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions - LP: #1566221 * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode - LP: #1566221 [ Stefan Bader ] * [Config] Add pm80xx scsi driver to d-i - LP: #1595628 [ Tim Gardner ] * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y * SAUCE: UEFI: Display MOKSBState when disabled - LP: #1566221, #1571691 * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl - LP: #1593075 * SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility - LP: #1593075 * [Config] CONFIG_EFI=n for arm64 - LP: #1566221 [ Upstream Kernel Changes ] * powerpc/tm: Abort syscalls in active transactions - LP: #1572624 * HID: core: prevent out-of-bound readings - LP: #1579190 * efi: Add separate 32-bit/64-bit definitions - LP: #1566221 * x86/efi: Build our own EFI services pointer table - LP: #1566221 * mm: migrate dirty page without clear_page_dirty_for_io etc - LP: #1581865 - CVE-2016-3070 * oom_kill: change oom_kill.c to use for_each_thread() - LP: #1592429 * oom_kill: has_intersects_mems_allowed() needs rcu_read_lock() - LP: #1592429 * oom_kill: add rcu_read_lock() into find_lock_task_mm() - LP: #1592429 * virtio_balloon: return the amount of freed memory from leak_balloon() - LP: #1587089 * virtio_balloon: free some memory from balloon on OOM - LP: #1587089 * virtio_ballon: change stub of release_pages_by_pfn - LP: #1587089 * virtio_balloon: do not change memory amount visible via /proc/meminfo - LP: #1587089 -- Kamal Mostafa Tue, 28 Jun 2016 12:40:49 -0700 ** Changed in: linux (Ubuntu Trusty) Status: In Progress => Fix Released ** Changed in: linux (Ubuntu Trusty) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 3.19.0-65.73 --- linux (3.19.0-65.73) vivid; urgency=low [ Ben Romer ] * Release Tracking Bug - LP: #1596631 [ Josh Boyer ] * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted - LP: #1566221 * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - LP: #1566221 * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot - LP: #1571691 * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode - LP: #1571691 [ Matthew Garrett ] * SAUCE: UEFI: Add secure_modules() call - LP: #1566221 * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled - LP: #1566221 * SAUCE: UEFI: x86: Lock down IO port access when module security is enabled - LP: #1566221 * SAUCE: UEFI: ACPI: Limit access to custom_method - LP: #1566221 * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted - LP: #1566221 * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions - LP: #1566221 * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode - LP: #1566221 [ Stefan Bader ] * [Config] Add pm80xx scsi driver to d-i - LP: #1595628 [ Tim Gardner ] * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y * SAUCE: UEFI: Display MOKSBState when disabled - LP: #1571691 * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl - LP: #1593075 [ Upstream Kernel Changes ] * HID: core: prevent out-of-bound readings - LP: #1579190 * mm: migrate dirty page without clear_page_dirty_for_io etc - LP: #1581865 - CVE-2016-3070 -- Benjamin M Romer Mon, 27 Jun 2016 12:37:48 -0400 ** Changed in: linux (Ubuntu Vivid) Status: In Progress => Fix Released ** Changed in: linux (Ubuntu Vivid) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 3.19.0-65.73 --- linux (3.19.0-65.73) vivid; urgency=low [ Ben Romer ] * Release Tracking Bug - LP: #1596631 [ Josh Boyer ] * SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted - LP: #1566221 * SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - LP: #1566221 * SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot - LP: #1571691 * SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode - LP: #1571691 [ Matthew Garrett ] * SAUCE: UEFI: Add secure_modules() call - LP: #1566221 * SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled - LP: #1566221 * SAUCE: UEFI: x86: Lock down IO port access when module security is enabled - LP: #1566221 * SAUCE: UEFI: ACPI: Limit access to custom_method - LP: #1566221 * SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is restricted - LP: #1566221 * SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module loading restrictions - LP: #1566221 * SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted - LP: #1566221 * SAUCE: UEFI: Add option to automatically enforce module signatures when in Secure Boot mode - LP: #1566221 [ Stefan Bader ] * [Config] Add pm80xx scsi driver to d-i - LP: #1595628 [ Tim Gardner ] * [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y * SAUCE: UEFI: Display MOKSBState when disabled - LP: #1571691 * SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl - LP: #1593075 [ Upstream Kernel Changes ] * HID: core: prevent out-of-bound readings - LP: #1579190 * mm: migrate dirty page without clear_page_dirty_for_io etc - LP: #1581865 - CVE-2016-3070 -- Benjamin M Romer Mon, 27 Jun 2016 12:37:48 -0400 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.2.0-42.49
---
linux (4.2.0-42.49) wily; urgency=low
[ Ben Romer ]
* Release Tracking Bug
- LP: #1597053
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
[ Upstream Kernel Changes ]
* Revert "scsi: fix soft lockup in scsi_remove_target() on module
removal"
- LP: #1592552
* ath10k: fix firmware assert in monitor mode
- LP: #1592552
* drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
- LP: #1592552
* ath10k: fix debugfs pktlog_filter write
- LP: #1592552
* drm/i915: Call intel_dp_mst_resume() before resuming displays
- LP: #1592552
* ARM: mvebu: fix GPIO config on the Linksys boards
- LP: #1592552
* ath5k: Change led pin configuration for compaq c700 laptop
- LP: #1592552, #972604
* xfs: disallow rw remount on fs with unknown ro-compat features
- LP: #1592552
* xfs: Don't wrap growfs AGFL indexes
- LP: #1592552
* rtlwifi: rtl8723be: Add antenna select module parameter
- LP: #1592552
* rtlwifi: btcoexist: Implement antenna selection
- LP: #1592552
* drm/gma500: Fix possible out of bounds read
- LP: #1592552
* Bluetooth: vhci: fix open_timeout vs. hdev race
- LP: #1592552
* Bluetooth: vhci: purge unhandled skbs
- LP: #1592552
* cpuidle: Indicate when a device has been unregistered
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Use clkdev_create()
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Remove clock tree on error path
- LP: #1592552
* [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in
put_v4l2_create32
- LP: #1592552
* scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
- LP: #1592552
* drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C
- LP: #1592552
* usb: f_mass_storage: test whether thread is running before starting
another
- LP: #1592552
* hwmon: (ads7828) Enable internal reference
- LP: #1592552
* ath10k: fix rx_channel during hw reconfigure
- LP: #1592552
* Bluetooth: vhci: Fix race at creating hci device
- LP: #1592552
* powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
- LP: #1592552
* PM / Runtime: Fix error path in pm_runtime_force_resume()
- LP: #1592552
* crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
- LP: #1592552
* ath9k: Add a module parameter to invert LED polarity.
- LP: #1592552
* ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- LP: #1592552
* pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
- LP: #1592552
* btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
btrfs_ioctl
- LP: #1592552
* serial: 8250_pci: fix divide error bug if baud rate is 0
- LP: #1592552
* TTY: n_gsm, fix false positive WARN_ON
- LP: #1592552
* staging: comedi: das1800: fix possible NULL dereference
- LP: #1592552
* arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
- LP: #1592552
* KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
- LP: #1592552
* aacraid: Relinquish CPU during timeout wait
- LP: #1592552
* aacraid: Fix for aac_command_thread hang
- LP: #1592552
* aacraid: Fix for KDUMP driver hang
- LP: #1592552
* ext4: fix hang when processing corrupted orphaned inode list
- LP: #1592552
* MI
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.2.0-42.49
---
linux (4.2.0-42.49) wily; urgency=low
[ Ben Romer ]
* Release Tracking Bug
- LP: #1597053
[ Josh Boyer ]
* SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module
loading is restricted
- LP: #1566221
* SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- LP: #1566221
* SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- LP: #1571691
* SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- LP: #1571691
[ Matthew Garrett ]
* SAUCE: UEFI: Add secure_modules() call
- LP: #1566221
* SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- LP: #1566221
* SAUCE: UEFI: x86: Lock down IO port access when module security is
enabled
- LP: #1566221
* SAUCE: UEFI: ACPI: Limit access to custom_method
- LP: #1566221
* SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading
is restricted
- LP: #1566221
* SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- LP: #1566221
* SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading restrictions
- LP: #1566221
* SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- LP: #1566221
* SAUCE: UEFI: Add option to automatically enforce module signatures when
in Secure Boot mode
- LP: #1566221
[ Stefan Bader ]
* [Config] Add pm80xx scsi driver to d-i
- LP: #1595628
[ Tim Gardner ]
* [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
* SAUCE: UEFI: Display MOKSBState when disabled
- LP: #1571691
* SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- LP: #1593075
[ Upstream Kernel Changes ]
* Revert "scsi: fix soft lockup in scsi_remove_target() on module
removal"
- LP: #1592552
* ath10k: fix firmware assert in monitor mode
- LP: #1592552
* drm/i915: Fix race condition in intel_dp_destroy_mst_connector()
- LP: #1592552
* ath10k: fix debugfs pktlog_filter write
- LP: #1592552
* drm/i915: Call intel_dp_mst_resume() before resuming displays
- LP: #1592552
* ARM: mvebu: fix GPIO config on the Linksys boards
- LP: #1592552
* ath5k: Change led pin configuration for compaq c700 laptop
- LP: #1592552, #972604
* xfs: disallow rw remount on fs with unknown ro-compat features
- LP: #1592552
* xfs: Don't wrap growfs AGFL indexes
- LP: #1592552
* rtlwifi: rtl8723be: Add antenna select module parameter
- LP: #1592552
* rtlwifi: btcoexist: Implement antenna selection
- LP: #1592552
* drm/gma500: Fix possible out of bounds read
- LP: #1592552
* Bluetooth: vhci: fix open_timeout vs. hdev race
- LP: #1592552
* Bluetooth: vhci: purge unhandled skbs
- LP: #1592552
* cpuidle: Indicate when a device has been unregistered
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Use clkdev_create()
- LP: #1592552
* mfd: intel_quark_i2c_gpio: Remove clock tree on error path
- LP: #1592552
* [media] media: v4l2-compat-ioctl32: fix missing reserved field copy in
put_v4l2_create32
- LP: #1592552
* scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
- LP: #1592552
* drm/i915/dsi: fix CHV dsi encoder hardware state readout on port C
- LP: #1592552
* usb: f_mass_storage: test whether thread is running before starting
another
- LP: #1592552
* hwmon: (ads7828) Enable internal reference
- LP: #1592552
* ath10k: fix rx_channel during hw reconfigure
- LP: #1592552
* Bluetooth: vhci: Fix race at creating hci device
- LP: #1592552
* powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
- LP: #1592552
* PM / Runtime: Fix error path in pm_runtime_force_resume()
- LP: #1592552
* crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
- LP: #1592552
* ath9k: Add a module parameter to invert LED polarity.
- LP: #1592552
* ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- LP: #1592552
* pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
- LP: #1592552
* btrfs: bugfix: handle FS_IOC32_{GETFLAGS,SETFLAGS,GETVERSION} in
btrfs_ioctl
- LP: #1592552
* serial: 8250_pci: fix divide error bug if baud rate is 0
- LP: #1592552
* TTY: n_gsm, fix false positive WARN_ON
- LP: #1592552
* staging: comedi: das1800: fix possible NULL dereference
- LP: #1592552
* arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
- LP: #1592552
* KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
- LP: #1592552
* aacraid: Relinquish CPU during timeout wait
- LP: #1592552
* aacraid: Fix for aac_command_thread hang
- LP: #1592552
* aacraid: Fix for KDUMP driver hang
- LP: #1592552
* ext4: fix hang when processing corrupted orphaned inode list
- LP: #1592552
* MI
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags removed: verification-needed-wily ** Tags added: verification-done-wily -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags removed: verification-needed-vivid ** Tags added: verification-done-vivid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Tags removed: verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- trusty' to 'verification-done-trusty'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-trusty ** Tags added: verification-needed-vivid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- vivid' to 'verification-done-vivid'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-wily -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- wily' to 'verification-done-wily'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
For completeness the userspace changes needed for this are being tracked under Bug #1574727. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
lts-utopic and trusty tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
Vivid tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
Wily tested in QEMU/OVMF with signed kernel, with and without MokSBState enabled. ** Description changed: Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. + + When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for + platforms booting in secure boot mode with a DKMS dependency is to + disable secure boot using mokutils: + + sudo mokutil --disable-validation + sudo reboot ** Description changed: Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to - disable secure boot using mokutils: + disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot ** Description changed: + This work is authorized by an approved UOS spec at + https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot + Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot ** Description changed: - This work is authorized by an approved UOS spec at + This work is authorized by an approved UOS spec and blueprint at https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot Add code to implement secure boot checks. Unsigned or incorrectly signed modules will continue to install while tainting the kernel _until_ EFI_SECURE_BOOT_SIG_ENFORCE is enabled. When EFI_SECURE_BOOT_SIG_ENFORCE is enabled, then the only recourse for platforms booting in secure boot mode with a DKMS dependency is to disable secure boot using mokutil: sudo mokutil --disable-validation sudo reboot -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Also affects: linux (Ubuntu Yakkety) Importance: Undecided Assignee: Tim Gardner (timg-tpi) Status: Fix Released ** Also affects: linux (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Wily) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Vivid) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Trusty) Status: New => In Progress ** Changed in: linux (Ubuntu Trusty) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Vivid) Status: New => In Progress ** Changed in: linux (Ubuntu Vivid) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Wily) Status: New => In Progress ** Changed in: linux (Ubuntu Wily) Assignee: (unassigned) => Tim Gardner (timg-tpi) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.4.0-21.37 --- linux (4.4.0-21.37) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1571791 * linux: MokSBState is ignored (LP: #1571691) - SAUCE: (noup) MODSIGN: Import certificates from UEFI Secure Boot - SAUCE: (noup) efi: Disable secure boot if shim is in insecure mode - SAUCE: (noup) Display MOKSBState when disabled linux (4.4.0-20.36) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1571069 * sysfs mount failure during stateful lxd snapshots (LP: #1570906) - SAUCE: kernfs: Do not match superblock in another user namespace when mounting * Kernel Panic in Ubuntu 16.04 netboot installer (LP: #1570441) - x86/topology: Fix logical package mapping - x86/topology: Fix Intel HT disable - x86/topology: Use total_cpus not nr_cpu_ids for logical packages - xen/apic: Provide Xen-specific version of cpu_present_to_apicid APIC op - x86/topology: Fix AMD core count * [regression]: Failed to call clock_adjtime(): Invalid argument (LP: #1566465) - ntp: Fix ADJ_SETOFFSET being used w/ ADJ_NANO linux (4.4.0-19.35) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1570348 * CVE-2016-2847 (LP: #1554260) - pipe: limit the per-user amount of pages allocated in pipes * xenial kernel crash on HP BL460c G7 (qla24xx problem?) (LP: #1554003) - SAUCE: (noup) qla2xxx: Add irq affinity notification V2 * arm64: guest hangs when ntpd is running (LP: #1549494) - SAUCE: (noup) KVM: arm/arm64: Handle forward time correction gracefully * linux: Enforce signed module loading when UEFI secure boot (LP: #1566221) - [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y * s390/cpumf: Fix lpp detection (LP: #1555344) - s390/facilities: use stfl mnemonic instead of insn magic - s390/facilities: always use lowcore's stfle field for storing facility bits - s390/cpumf: Fix lpp detection * s390x kernel image needs weightwatchers (LP: #1536245) - [Config] s390x: Use compressed kernel bzImage * Surelock GA2 SP1: surelock02p05: Not seeing sgX devices for LUNs after upgrading to Ubuntu 16.04 (LP: #1567581) - Revert "UBUNTU: SAUCE: (noup) powerpc/pci: Assign fixed PHB number based on device-tree properties" * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765) - cpufreq: powernv: Define per_cpu chip pointer to optimize hot-path - Revert "cpufreq: postfix policy directory with the first CPU in related_cpus" - cpufreq: powernv: Add sysfs attributes to show throttle stats * systemd-modules-load.service: Failing due to missing module 'ib_iser' (LP: #1566468) - [Config] Add ib_iser to generic inclusion list * thunderx nic performance improvements (LP: #1567093) - net: thunderx: Set recevie buffer page usage count in bulk - net: thunderx: Adjust nicvf structure to reduce cache misses * fixes for thunderx nic in multiqueue mode (LP: #1567091) - net: thunderx: Fix for multiqset not configured upon interface toggle - net: thunderx: Fix for HW TSO not enabled for secondary qsets - net: thunderx: Fix receive packet stats * Miscellaneous Ubuntu changes - [Config] updateconfigs after CONFIG_DRM_I915_BPO_PRELIMINARY_HW_SUPPORT=n * Miscellaneous upstream changes (LP: #1564901) - Input: xpad - correctly handle concurrent LED and FF requests -- Tim Gardner Mon, 18 Apr 2016 07:00:22 -0600 ** Changed in: linux (Ubuntu Xenial) Status: In Progress => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-2847 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
Ok, scratch that. I had an external monitor connected and didn't realize a configure dialog appeared on reboot. After disabling validation the vboxdrv module now loads as expected. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
Thanks, I just gave this a shot after installing 4.4.0-21-generic #37 from -proposed but after running 'sudo mokutil --disable-validation' and rebooting I still have the same 'Required key not available' error when I 'sudo modprobe vboxdrv'. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
linux 4.4.0-21.37 supports MOKSBState wherein you can disable secure boot in order to allow DKMS drivers. It should be released from -proposed within a day or so. If you aren't prompted to change your secure boot setting, then you can run 'sudo mokutil --disable- validation' before rebooting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
I'm not sure if this is the right venue for discussion, but ever since this change was implemented in 4.4.0-18 I have been unable to load the VirtualBox vboxdrv kernel module built through dkms (fails with 'required key not available'). I understand this is probably the intended behavior but because of a glitch in the bios or ssd firmware of my laptop the secureboot mechanism is the only way I can start Ubuntu and this has left me without an option to load custom-built modules. Is there any mechanism to sign a kernel module through dkms? How is signing of e.g. the nvidia module handled? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y ** Changed in: linux (Ubuntu Xenial) Status: Fix Released => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
This bug was fixed in the package linux - 4.4.0-18.34 --- linux (4.4.0-18.34) xenial; urgency=low [ Tim Gardner ] * Release Tracking Bug - LP: #1566868 * [i915_bpo] Fix RC6 on SKL GT3 & GT4 (LP: #1564759) - SAUCE: i915_bpo: drm/i915/skl: Fix rc6 based gpu/system hang - SAUCE: i915_bpo: drm/i915/skl: Fix spurious gpu hang with gt3/gt4 revs * CONFIG_ARCH_ROCKCHIP not enabled in armhf generic kernel (LP: #1566283) - [Config] CONFIG_ARCH_ROCKCHIP=y * [Feature] Memory Bandwidth Monitoring (LP: #1397880) - perf/x86/cqm: Fix CQM handling of grouping events into a cache_group - perf/x86/cqm: Fix CQM memory leak and notifier leak - x86/cpufeature: Carve out X86_FEATURE_* - Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip - x86/topology: Create logical package id - perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init - perf/x86/mbm: Add memory bandwidth monitoring event management - perf/x86/mbm: Implement RMID recycling - perf/x86/mbm: Add support for MBM counter overflow handling * User namespace mount updates (LP: #1566505) - SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns - SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids - SAUCE: fuse: Don't initialize user_id or group_id in mount options - SAUCE: cgroup: Use a new super block when mounting in a cgroup namespace - SAUCE: fs: fix a posible leak of allocated superblock * [arm64] kernel BUG at /build/linux-StrpB2/linux-4.4.0/fs/ext4/inode.c:2394! (LP: #1566518) - arm64: Honour !PTE_WRITE in set_pte_at() for kernel mappings - arm64: Update PTE_RDONLY in set_pte_at() for PROT_NONE permission * [Feature]USB core and xHCI tasks for USB 3.1 SuperSpeedPlus (SSP) support for Alpine Ridge on SKL (LP: #1519623) - usb: define USB_SPEED_SUPER_PLUS speed for SuperSpeedPlus USB3.1 devices - usb: set USB 3.1 roothub device speed to USB_SPEED_SUPER_PLUS - usb: show speed "1" in sysfs for USB 3.1 SuperSpeedPlus devices - usb: add device descriptor for usb 3.1 root hub - usb: Support USB 3.1 extended port status request - xhci: Make sure xhci handles USB_SPEED_SUPER_PLUS devices. - xhci: set roothub speed to USB_SPEED_SUPER_PLUS for USB3.1 capable controllers - xhci: USB 3.1 add default Speed Attributes to SuperSpeedPlus device capability - xhci: set slot context speed field to SuperSpeedPlus for USB 3.1 SSP devices - usb: Add USB3.1 SuperSpeedPlus Isoc Endpoint Companion descriptor - usb: Parse the new USB 3.1 SuperSpeedPlus Isoc endpoint companion descriptor - usb: Add USB 3.1 Precision time measurement capability descriptor support - xhci: refactor and cleanup endpoint initialization. - xhci: Add SuperSpeedPlus high bandwidth isoc support to xhci endpoints - xhci: cleanup isoc tranfers queuing code - xhci: Support extended burst isoc TRB structure used by xhci 1.1 for USB 3.1 - SAUCE: (noup) usb: fix regression in SuperSpeed endpoint descriptor parsing * wrong/missing permissions for device file /dev/prandom (prng.ko) (LP: #1558275) - s390/crypto: provide correct file mode at device register. * The Front MIC jack can't work on a HP desktop machine (LP: #1564712) - ALSA: hda - fix front mic problem for a HP desktop * HP Notebook Probook 440 G3 HDA Intel PCH horrible sounds while booting (LP: #1556228) - ALSA: hda - Apply reboot D3 fix for CX20724 codec, too * please provide mmc-modules udeb (LP: #1565765) - [Config] Add mmc block drivers to d-i * linux: Enforce signed module loading when UEFI secure boot (LP: #1566221) - Add secure_modules() call - PCI: Lock down BAR access when module security is enabled - x86: Lock down IO port access when module security is enabled - ACPI: Limit access to custom_method - asus-wmi: Restrict debugfs interface when module loading is restricted - Restrict /dev/mem and /dev/kmem when module loading is restricted - acpi: Ignore acpi_rsdp kernel parameter when module loading is restricted - kexec: Disable at runtime if the kernel enforces module loading restrictions - x86: Restrict MSR access when module loading is restricted - [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=n - Add option to automatically enforce module signatures when in Secure Boot mode - efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI - efi: Add EFI_SECURE_BOOT bit - hibernate: Disable in a signed modules environment * [Hyper-V] Additional PCI passthrough commits (LP: #1565967) - PCI: Add fwnode_handle to x86 pci_sysdata - PCI: Look up IRQ domain by fwnode_handle - [Config] CONFIG_PCI_HYPERV=m - PCI: hv: Add paravirtual PCI front-end for Microsoft Hyper-V VMs * [Bug]Lenovo Yoga 260 and Carbon X1 4th gen freeze on HWP enable (LP:
[Bug 1566221] Re: linux: Enforce signed module loading when UEFI secure boot
** Description changed: - Add code to implement secure boot checks. + Add code to implement secure boot checks. Unsigned or incorrectly signed + modules will continue to install while tainting the kernel _until_ + EFI_SECURE_BOOT_SIG_ENFORCE is enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1566221 Title: linux: Enforce signed module loading when UEFI secure boot To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
