** Changed in: linux (Ubuntu)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
** Changed in: linux (Ubuntu Yakkety)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
** Changed in: linux (Ubuntu Zesty)
Assignee: Tim Gardner (timg-tpi) => (unassigned)
--
You received this bug noti
Kees - there are archive shenanigans involved in getting a signed kernel
binary, hence the separate package.
Steve - I'm not sure about the rationale for grub booting unsigned
kernels. The foundations team might be able to explain it.
--
You received this bug notification because you are a membe
... why aren't all the kernels just signed? Why does this need to be a
separate package at all?
I can confirm installing the -signed package fixes it for me. Where in
the kernel source does this signature effect the output of
/proc/sys/kernel/secure_boot, though? I can't find that...
--
You rece
Also, is there a reason there isn't at least recommends on the
corresponding -signed packages for the kernel, to try to avoid this
situation? (I realize adding a hard depends would make
building/installing test kernels more difficult.)
--
You received this bug notification because you are a membe
Bah, was missing the linux-signed-generic-hwe-16.04-edge package. Once
that was in place, secure boot enforcement works correctly. Not sure if
that's the cause of Kees' issue as well.
That said, making it more discoverable that (a) secure boot is not being
enforced by the kernel, (b) why it's not
I have reproduced this and can confirm it only affects 4.8 kernels. I
have a Ubuntu 16.04 system with secure boot enabled, and the 4.4 kernels
were enforcing it. Installing and rebooting into the linux-image-
generic-hwe-edge kernel (4.8.0-34.36~16.04.1-generic) and everything
before the kernel thi
the proc handler does:
secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
this feature flag is set at boot:
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot == EFI_SECURE_BOOT) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_sign
And that must be doing something wrong, since:
sudo efivar -p -n $(efivar --list | grep SecureBoot)
shows "1"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not enforcing modu
And it looks like this is specific to the 4.8 kernel. 4.4 thinks secure
boot is enabled.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not enforcing module signatures under Sec
Oh, and that's not set up by the bootloader, it's in
arch/x86/boot/compressed/eboot.c:
boot_params->secure_boot = get_secure_boot();
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Titl
(Hm, dmesg WARN on IOMMU seems to think I need
910170442944e1f8674fd5ddbeeb8ccd1877ea98, but that's unrelated...)
** Attachment added: "dmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+attachment/4809482/+files/dmesg.txt
--
You received this bug notification because
$ cat /proc/sys/kernel/secure_boot
0
That seems weird. Everything else thinks it's enabled. What sets this
one (and what does it represent)?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Titl
Kees - what is the result of 'cat /proc/sys/kernel/secure_boot' ?
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: Incomplete
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Zesty)
Status: Incomp
13 matches
Mail list logo
