Implementing unsigned kernel handling/DKMS for SecureBoot in the installer

Registered by Mathieu Trudel-Lapierre

Implementing the use of DKMS and unsigned kernels in light of upcoming requirement to enforce kernel signatures by default with Secure Boot.

Blueprint information

Steve Langasek
Mathieu Trudel-Lapierre
Needs approval
Mathieu Trudel-Lapierre
Series goal:
Good progress
Milestone target:
Started by
Mathieu Trudel-Lapierre


In the light of the need to allow only signed kernels by default, we need to make it possible for users to return to previous behavior (using a signed kernel if available, but not enforcing its signature or module signatures).

This is especially necessary for users who require specific kernel modules built via dkms (since those would not be signed by the Ubuntu key), or users building their own kernel.

shim/MokManager already provides us with a method to do this: the MokSB variable, which can be hinted for MokManager by using the mokutil package (mokutil --disable-verification). Toggling this requires a one-time password which will be asked for after a reboot (and that reboot will automatically go into MokManager).

This further requires implementing a panel in the installer and/or in UbuntuDrivers to let users type in a password for mokutil, if signature enforcement will be turned off. We will allow this in the installer for ease-of-use, but more importantly in UbuntuDrivers which will be the main user of mokutil to toggle signature verification in shim.


Work Items

Work items:
Get feedback from the Design team for new installer/drivers UI: DONE
Implement new installer panel: DONE
Implement new dkms upgrade path: DONE
Implement grub upgrade path for DKMS modules: DONE
Ensure all new kernels enforce module signing by default: DONE
SRU mokutil to Precise: DONE
SRU mokutil to Trusty: DONE
SRU efivar to Precise: DONE
SRU efivar to Trusty: DONE
SRU shim-signed to Precise: DONE
SRU shim-signed to Trusty: DONE
SRU shim-signed to Xenial: DONE
SRU dkms to Trusty: DONE
SRU dkms to Xenial: DONE
SRU grub2 to Trusty: DONE
SRU grub2 to Xenial: DONE

Work items for later:
Rotate archive signing keys: TODO
Revoke the old signing key: TODO
Publish new shim with new keys: TODO
figure out how to unmap keyboard for mokutil prompt, since the keymap in UEFI will always be in qwerty: TODO
replace secureboot disabling with support for adding a local user-controlled key to Mok and storing it securely on the system: TODO
Discuss MokManager password entry experience with pjones: INPROGRESS
Complete Yakkety shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS
Complete Xenial shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS
Complete Trusty shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS

This blueprint contains Public information 
Everyone can see this information.