Signed module enforcement patches for

Mathieu Trudel-Lapierre mathieu.trudel-lapierre at canonical.com
Thu Jun 16 14:34:22 UTC 2016 

On Thu, Jun 16, 2016 at 4:49 PM, Tim Gardner <tim.gardner at canonical.com>
wrote:

> These patches in support of
> (
> https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot
> )
> have languished on this list since late April. All of the kernels have
> been built and tested by myself and Mathieu Trudel-Lapierre. Andy
> Whitcroft has asserted to me in private that they are difficult to
> review and can only really be tested for functionality. Furthermore,
> this patch set has been released in Xenial in a substantially similar form.
>
> Therefore I propose to apply them for this SRU cycle with the
> enforcement config option disabled. This at least exercises some of the
> more complex code that accesses the UEFI firmware.
>
> git://kernel.ubuntu.com/rtg/ubuntu-trusty.git
> lts-backport-utopic-enforce-signed-modules
> git://kernel.ubuntu.com/rtg/ubuntu-wily.git enforce-signed-modules
> git://kernel.ubuntu.com/rtg/ubuntu-vivid.git enforce-signed-modules
>
> All opposed say Aye.
>
>
Aye, provisionally.

I've tested xenial and trusty to some level of confidence; both seem to
work correctly at least with the latest lts-* kernels where appropriate. I
have yet to test wily and precise -- trusty and xenial did take time to
carefully make sure you could upgrade packages within the release (either
installing dkms packages after the SRU applied, or installing DKMS and then
the SRU) and then upgrading to a newer release (trusty->xenial and
xenial->yakkety). All of these are upgrade paths that need to continue to
work.

I'm not opposed to doing the SRU for these two releases, but it does need
to land *along* with the useland packages that allow using the
functionality.


-- 

Mathieu Trudel-Lapierre <mathieu.trudel-lapierre at canonical.com>
Freenode: cyphermox, Jabber: mathieu.tl at gmail.com
4096R/65B58DA1 818A D123 0992 275B 23C2  CF89 C67B B4D6 65B5 8DA1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20160616/e85cf381/attachment.html>

More information about the kernel-team mailing list