update-secureboot-policy --enable does not work after dkms modules removed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shim-signed (Ubuntu) |
Fix Released
|
Medium
|
Mathieu Trudel-Lapierre | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Committed
|
Undecided
|
Unassigned | ||
Zesty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Re-enabling Secure Boot after DKMS packages are no longer needed is useful to benefit from the extra security afforded by having all bits of the bootloader and kernel signed by a proper key.
[Test Case]
(on a system with SHIM validation disabled)
1- Remove all dkms modules
2- Attempt to run 'sudo update-
3- Observe the behavior.
With the fixed update-
[Regression Potential]
Possible regression from this update would be changes to expected behavior of the update-
---
If I have disabled secureboot on my system via update-
I think either the check for /var/lib/dkms should only apply when update-
Changed in shim-signed (Ubuntu): | |
importance: | Undecided → Medium |
Changed in shim-signed (Ubuntu): | |
status: | New → Triaged |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
description: | updated |
This bug was fixed in the package shim-signed - 1.30
---------------
shim-signed (1.30) artful; urgency=medium
* update- secureboot- policy: track the installed DKMS modules so we can skip secureboot- policy: allow re-enabling shim validation when no DKMS source_ shim-signed. py: add the textual representation of SecureBoot
failing unattended upgrades if they hasn't changed (ie. if no new DKMS
modules have been installed, just honour the user's previous decision to
not disable shim validation). (LP: #1695578)
* update-
packages are installed. (LP: #1673904)
* debian/
and MokSBStateRT EFI variables rather than just adding the files directly;
also, make sure we include the relevant EFI bits from kernel log.
(LP: #1680279)
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 23 Jun 2017 14:37:21 -0400