** Description changed:

  Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
- but contained no way of disabling secure boot for DKMS.
+ but contained no way of disabling secure boot for DKMS. Without this
+ kernel patch it is possible to get your machine in an unbootable state,
+ especially if you don't have a fallback kernel.
  
  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in secure
  boot mode and then installs a third party module (such as DKMS), then a
  dialog is displayed giving the user an option to disable secure boot,
  thereby also disabling module signature verification. Patch 1/2 is a
  scaffold patch of which only the GUID macros are actually used. The rest
  of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
  enabled until a later series. Patch 2/2 is where MOKSBState is read and
  implemented. Patch 3/3 simply prints a bit more informative state
  information.
  
  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:
  
  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.
  
  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

** Description changed:

  Ubuntu-4.4.0-20.36 was released with signed module enforcement enabled,
- but contained no way of disabling secure boot for DKMS. Without this
- kernel patch it is possible to get your machine in an unbootable state,
- especially if you don't have a fallback kernel.
+ but contained no way of disabling secure boot for DKMS. Without these
+ kernel patches it is possible to get your machine in an unbootable
+ state, especially if you don't have a fallback kernel.
  
  This patch set implements the ability to disable secure boot on demand
  from user space (with some password shennaigans). If one boots in secure
  boot mode and then installs a third party module (such as DKMS), then a
  dialog is displayed giving the user an option to disable secure boot,
  thereby also disabling module signature verification. Patch 1/2 is a
  scaffold patch of which only the GUID macros are actually used. The rest
  of the code is fenced by CONFIG_MODULE_SIG_UEFI which will not be
  enabled until a later series. Patch 2/2 is where MOKSBState is read and
  implemented. Patch 3/3 simply prints a bit more informative state
  information.
  
  Information regarding secure boot and signed module enforcement will
  appear in the kernel log thusly:
  
  'Secure boot enabled' - normal secure boot operation with signed module 
enforcement.
  'Secure boot MOKSBState disabled' - UEFI Secure boot state has been 
over-ridden by MOKSBState. No signed module enforcement.
  
  In the absense of a 'Secure boot' string assume that secure boot is
  disabled or does not exist.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1571691

Title:
  linux: MokSBState is ignored

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1571691/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to