Bug#1082012: shim-signed-common: dialog suggests disabling Secure Boot even if MOK is available

Tue, 17 Sep 2024 06:15:15 -0700 

Package: shim-signed-common
Version: 1.44+15.8-1
Severity: minor

shim-signed-common seems to be the origin (slightly hard to tell) of a
dialog during apt dist-upgrade that suggests UEFI Secure Boot must be
disabled to use 3rd party drivers.  It doesn't seem to check whether a
Machine Owner Key is installed in the UEFI trust database and/or
configured for DKMS.  It should check before misleading the user into
disabling a security feature.  (Especially considering the amount of
hoops someone had to jump through to set it up, and then take into
consideration someone tech-savvy might have set this up for their
tech-limited political refugee grandparent.)

Relevant config:

/etc/dkms/framework.conf:mok_signing_key=/root/.mok/mok.key
/etc/dkms/framework.conf:mok_certificate=/root/.mok/mok.der

Output of "mokutil --list-enrolled" (abbreviated):

[key 1]
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA
        Subject: CN=Debian Secure Boot CA
    [...snip...]

[key 2]
SHA1 Fingerprint: ...
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=equinox/emailAddress=equi...@diac24.net
        Subject: CN=equinox/emailAddress=equi...@diac24.net



-- System Information:
Debian Release: trixie/sid
  APT prefers testing
  APT policy: (600, 'testing'), (500, 'unstable-debug'), (500, 
'testing-debug'), (500, 'stable-updates'), (500, 'stable-security'), (500, 
'stable-debug'), (500, 'stable'), (400, 'unstable'), (300, 'jammy-updates'), 
(300, 'jammy-security'), (300, 'jammy'), (300, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.7+ (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed-common depends on:
ii  debconf [debconf-2.0]  1.5.87
ii  mokutil                0.6.0-2+b1

shim-signed-common recommends no packages.

shim-signed-common suggests no packages.

-- debconf information excluded

Reply via email to