got the other single failure case and confirm it's caused by another
mistake.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
T
per my current test on i+n, it works fine.
There seems to have some other single failure case, still wait the
machine to be availe.
Give so, close it here for now.
** Changed in: oem-priority
Status: Confirmed => Fix Released
** Changed in: oem-priority
Status: Fix Released => Inv
On Sun, Aug 29, 2021 at 09:02:38PM -, Jacob wrote:
> Could we add an option to `update-secureboot-policy` so that it can
> generate a key that works for signing modules & kernels ?
This would be a low priority to change, and we would need to take a good
deal of care around the user interface
It test pass on UMA machine. I heard there is failed case on I+N, will
also test on that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure b
Hi Ivan, per check, I do add "-config /usr/lib/shim/mok/openssl.cnf" as
create mok for kernel in development mode. I'll re-create a key and
update test result.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/
Follow up the tests for comment#12,
the same test kernel v5.14.0-rc7 signed with the original created key in
/var/lib/shim-signed/test_kernel will not boot up with getting the
invalid signature error.
compare the keys between /var/lib/shim-signed/test_kernel and
comment#12(/var/lib/test_ker/), th
Hi Steve Langasek,
Could we add an option to `update-secureboot-policy` so that it can generate a
key that works for signing modules & kernels ?
As an aside, if an attacker has compromised a system and they generate a
signing key ... they could modify and attempt to enrol a key that allows
kernel
A signed kernel module and a signed kernel have different security
properties: a signed kernel has access to the firmware state prior to
calling ExitBootServices, a module does not. So, no, this
implementation in the shim package which was implemented specifically to
support dkms modules should no
Hi Steve Langasek,
If an attacker is able to sign a custom kernel module & compromise a system via
that means is there a reason to restrict the rather easy to use
`update-secureboot-policy --new-key` method to only kernel modules? (Can we
modify it to allow signing kernels in addition to kernel
The original bug report does not say how the MOK has been generated.
If it is generated using the maintainer script integrations in shim-
signed (the update-secureboot-policy command), note that the openssl
config in /usr/lib/shim/mok/openssl.cnf generates a key which is
specifically annotated as
Got the Latitude 7520 machine, from the shim's log, it seems something
wrong in the self signed certificate and the binary is not authorized.
And do some tests, basically base on the comment#6, install another test
kernel and signed/enrolled with another MOK key manually.
1. install test kernel(u
AI: the message scroll up, so let me pass the machine to Ivan.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
To manage notifi
Test again with my UEFI develop kit(RainbowPass) platform by following
procedures and still cannot reproduce this issue.
1. install focal
2. update shim-signed to 1.40.6+15.4.0ubuntu7 and grub2 to 2.04-1ubuntu26.12
3. install mainline kernel(unsigned),
https://kernel.ubuntu.com/~kernel-ppa/mainl
AI: $ sudo mokutil --set-verbose true, and capture the log.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
To manage notificat
After singing kernel modules and enroll key to MOK, still cannot
reproduce this with my UEFI develop kit(RainbowPass) platform.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel si
Could you also enrolled mok for kernel module?
(One mok for kernel and the other for kernel module)
It seem two mok will confuse shim.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
k
Manually test with my UEFI develop kit(RainbowPass) platform by
following procedures and cannot reproduce this issue.
1. install focal
2. update shim-signed to 1.40.6+15.4.0ubuntu7 and grub2 to 2.04-1ubuntu26.12
3. install mainline kernel(unsigned),
https://kernel.ubuntu.com/~kernel-ppa/mainline/
** Tags added: oem-priority
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
To manage notifications about this bug go to:
https
note upgrade the follow pkg
shim-signed: 1.40.7+15.4-0ubuntu9
grub-common 2.04-1ubuntu26.13
grub2-common 2.04-1ubuntu26.13
from the proposed channel does not help.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpa
as this is reproduced, grub version
# dpkg -l |grep grub
ii grub-common2.04-1ubuntu26.12
amd64GRand Unified Bootloader (common files)
ii grub-efi-amd64 2.04-1ubuntu44.2
@ycheng-twn
Have you also updated the Grub2?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
To manage notifications about thi
@ycheng-twn
I try to update my manifest and install iso on DLPN-MT-EVT-C1/BIOS 0.10.28.
The ISO is
http://10.101.46.50:8080/job/dell-bto-focal-fossa-davos-adl/lastSuccessfulBuild/artifact/out/dell-bto-focal-fossa-davos-adl-X142-20210812-9.iso
I can finish the installation and the secure boot is
downgrade shim-signed to 1.40.4+15+1552672080.a4a1fbe-0ubuntu2 and
shim 15+1552672080.a4a1fbe-0ubuntu2
Then I can't reproduce this issue.
** Changed in: oem-priority
Assignee: (unassigned) => Yuan-Chen Cheng (ycheng-twn)
--
You received this bug notification because you are a member of Ubu
23 matches
Mail list logo
