[Bug 1829029] Re: Feature request: allow use of update-secureboot-policy for non-DKMS modules

Tue May 14 15:46:01 UTC 2019

By the way, I know that we could get this by just using DKMS for our
modules (and we could still do that if we absolutely had to), but we
prefer not to.  The reason for this is that not all distributions that
we target support DKMS, so we still need to provide our home-grown DKMS
replacement.  We used to support DKMS as well, but because DKMS
occasionally went wrong on users's systems, often enough to be cause us
additional support work, we decided to drop it.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1829029

Title:
  Feature request: allow use of update-secureboot-policy for non-DKMS
  modules

Status in shim-signed package in Ubuntu:
  New

Bug description:
  Already discussed by e-mail/IRC with Mathieu.  We (the VirtualBox
  team) would like to call update-secureboot-policy to enroll a signing
  key when we install our host kernel modules on Ubuntu/Debian systems.
  However, currently the tool exits if no DKMS modules are found.  This
  patch would add a "--force" parameter which would let us call the tool
  interactively as part of our installation scripts even if DKMS was not
  installed.  Not sure how or if we should handle the new DKMS list in
  non-interactive mode.

  ProblemType: Bug
  DistroRelease: Ubuntu 19.04
  Package: shim-signed 1.39+15+1533136590.3beb971-0ubuntu1
  ProcVersionSignature: Ubuntu 5.0.0-13.14-generic 5.0.6
  Uname: Linux 5.0.0-13-generic x86_64
  .proc.sys.kernel.moksbstate_disabled: Error: [Errno 2] Нет такого файла или каталога: '/proc/sys/kernel/moksbstate_disabled'
  ApportVersion: 2.20.10-0ubuntu27
  Architecture: amd64
  CasperVersion: 1.405
  CurrentDesktop: ubuntu:GNOME
  Date: Tue May 14 16:56:38 2019
  EFITables:
   Mai 13 11:05:20 michael-ThinkPad-T470 kernel: efi: EFI v2.50 by Lenovo
   Mai 13 11:05:20 michael-ThinkPad-T470 kernel: efi:  SMBIOS=0x9a6d8000  SMBIOS 3.0=0x9a6d5000  ACPI=0x9b5fe000  ACPI 2.0=0x9b5fe014  ESRT=0x9a5a2000  MEMATTR=0x9532e298  TPMEventLog=0x8e96d018
   Mai 13 11:05:20 michael-ThinkPad-T470 kernel: secureboot: Secure boot enabled
   Mai 13 11:05:20 michael-ThinkPad-T470 kernel: esrt: Reserving ESRT space from 0x000000009a5a2000 to 0x000000009a5a2088.
   Mai 13 11:05:21 michael-ThinkPad-T470 kernel: Bluetooth: hci0: Secure boot is enabled
  InstallationDate: Installed on 2018-06-12 (335 days ago)
  InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  LiveMediaBuild: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  SecureBoot: 6   0   0   0   1
  SourcePackage: shim-signed
  UpgradeStatus: Upgraded to disco on 2019-03-26 (49 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1829029/+subscriptions