Ubuntu 16.04 Secure Boot Policy
Kaosu NA
kaosulab at gmail.com
Sun Jul 3 20:25:23 UTC 2016
I found a few typos that need to be corrected to avoid confusion:
1) /etc/kernel/postint.d should be /etc/kernel/postinst.d
2) The suggested command for the script in the above directory should
be /usr/src/linux-headers-$(uname
-r)/scripts/sign-file sha256 /path/to/keys/VBOX.priv /path/to/keys/VBOX.der
$(modinfo -n vboxdrv)
On Sun, Jul 3, 2016 at 3:18 PM, Kaosu NA <kaosulab at gmail.com> wrote:
> I do not see why the developers have chosen to prompt users to disable
> secure boot in order to install third-party drivers. While I understand
> that Canonical is unable to use their key to sign kernel modules generated
> by DKMS, it would be trivial to generate, sign and import a key for select
> third-party drivers. For example, it would be easy to package a third-party
> driver with a post-installation script to issue the following commands:
>
> Using VirtualBox as an example:
>
> # openssl req -new -x509 -newkey rsa:2048 -keyout /path/to/keys/VBOX.priv
> -outform DER -out /path/to/keys/VBOX.der -nodes -days 36500 -subj
> "/CN=Canonical/"
>
> # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256
> /path/to/keys/VBOX.priv /path/to/keys/VBOX.der $(modinfo -n vboxdrv)
>
> # mokutil --import /path/to/keys/VBOX.der
>
> Then all you would need to do is create a script to update the keys every
> time there is a kernel upgrade. A script could be created and stored
> in /etc/kernel/postint.d with the following commands:
>
> # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 VBOX.priv
> VBOX.der $(modinfo -n vboxdrv)
>
> # mokutil --import /path/to/keys/VBOX.der
>
> Now the user will be able to reboot their machine, enter the password
> given when prompted by mokutils to supply one, and follow the on-screen
> instructions to import the key. Now users will be able to install
> third-party drivers without being forced to disable secure boot.
>
> I believe this solution is far better than the current approach to
> completely disable secure boot when a user tries to install third-party
> drivers. Not only will something like this be more user-friendly, but it
> also allows a large number of Ubuntu users to take advantage of a modern
> security technology without giving up usability.
>
> Thank you in advance for taking my feedback into consideration.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/attachments/20160703/cbcbfe62/attachment.html>
More information about the Ubuntu-devel-discuss
mailing list