[Bug 1609209] Re: Disable signature validation on shim without user interactions under secureboot enabled

Ivan Hu ivan.hu at canonical.com
Wed Aug 3 02:52:20 UTC 2016 

** Changed in: shim-signed (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1609209

Title:
  Disable signature validation on shim without user interactions under
  secureboot enabled

Status in shim-signed package in Ubuntu:
  Confirmed

Bug description:
  In some secureboot enabled machines, after update to kernel 3.19
  without disabling the secureboot. It causes the some DKMS (for
  example, kernel wireless and audio) won't work, because it forces the
  kernel and modules need to be signed.

  Considering that the end users don't have enough knowledge to use
  "mokutil" to disable the shim signature validation, provide a way to
  disable signature validation on shim without user interactions.

  MokSBStateSet.efi - UEFI shell application to set two variables
  (MokSBState and MokSBStateRT) which disable signature validation on
  shim. It should be signed with Ubuntu key.

  shim_dis_validation.sh - create a bootentry and set bootnext to it.
  This bootentry will boot to shim and then base on loadoption (second
  stage boot on shim) to execute MokSBStateSet.efi. That's why
  MokSBStateSet.efi need to be signed and key must be in the MOK
  database under secureboot enabled. MOK database already has canonical
  key, so MokSBStateSet.efi should be signed with Ubuntu key, so that
  users don't do anything to import key to MOK database.

  [Execute]
  Put MokSBStateSet-signed.efi and shim_dis_validation.sh in the same folder
  #sudo sh shim_dis_validation.sh

  
  [Test case]
  1. Get the signed MokSBStateSet.efi, MokSBStateSet-signed.efi
  2. impoll key to MOK database, this is not necessary if MokSBStateSet.efi signed with canonical key
     # mokutil --import MOK.cer
  3. sudo sh shim_dis_validation.sh
  4. check the DKMS funcitons

  [Potential issue]
  Shim has a bug and cause the shim second stage fail and a fix with it,
  https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1581299
  Will need to change the loadoption data on shim_dis_validation.sh according to the shim version in the future releases.

  [Todo]
  MokSBStateSet.efi need to be signed with Canonical key.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1609209/+subscriptions

More information about the foundations-bugs mailing list