** Description changed: + [SRU Justification] + Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether. + + [Test case] + 1) Install Ubuntu in UEFI mode. + 2) Install bbswitch-dkms (or another -dkms package if useful on your system). + 3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot). + 4) Reboot; follow the steps in MokManagerL + 4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so. + 4b) If the system was previously with Secure Boot disabled in shim (ie. a dkms package was previously installed), pick "Change Secure Boot state". Follow the prompts to enter password characters. + 5) Pick "Reboot". + 6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>". + 7) Run 'modprobe <module>' to validate that the module can be loaded explicilty. + 8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys. + + [Regression potential] + If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load. + + --- + shim-signed's update-secureboot-policy should allow creating a machine- owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1748983 Title: Generate per-machine MOK for dkms signing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
