Ubuntu

Implementing unsigned kernel handling/DKMS for SecureBoot in the installer

Registered by Mathieu Trudel-Lapierre on 2015-11-10

Implementing the use of DKMS and unsigned kernels in light of upcoming requirement to enforce kernel signatures by default with Secure Boot.

Read the full specification

Blueprint information

Status:: Started

Approver:: Steve Langasek

Priority:: Undefined

Drafter:: Mathieu Trudel-Lapierre

Direction:: Needs approval

Assignee:: Mathieu Trudel-Lapierre

Definition:: New

Series goal:: None

Implementation:: Good progress

Milestone target:: None

Started by: Mathieu Trudel-Lapierre on 2017-01-10

Related branches

Related bugs

Bug #1571388: grub-efi-amd64: prompted to disable SecureBoot on upgrade from 2.02~beta2-36ubuntu2 to 2.02~beta2-36ubuntu3	Won't Fix
Bug #1574727: [SRU] Enforce using signed kernels and modules on UEFI	Fix Released
Bug #1604936: Please document command-line options with --help and when called incorrectly	Fix Released

Sprints

Whiteboard

In the light of the need to allow only signed kernels by default, we need to make it possible for users to return to previous behavior (using a signed kernel if available, but not enforcing its signature or module signatures).

This is especially necessary for users who require specific kernel modules built via dkms (since those would not be signed by the Ubuntu key), or users building their own kernel.

shim/MokManager already provides us with a method to do this: the MokSB variable, which can be hinted for MokManager by using the mokutil package (mokutil --disable-verification). Toggling this requires a one-time password which will be asked for after a reboot (and that reboot will automatically go into MokManager).

This further requires implementing a panel in the installer and/or in UbuntuDrivers to let users type in a password for mokutil, if signature enforcement will be turned off. We will allow this in the installer for ease-of-use, but more importantly in UbuntuDrivers which will be the main user of mokutil to toggle signature verification in shim.

(?)

Work Items

Work items:
Get feedback from the Design team for new installer/drivers UI: DONE
Implement new installer panel: DONE
Implement new dkms upgrade path: DONE
Implement grub upgrade path for DKMS modules: DONE
Ensure all new kernels enforce module signing by default: DONE
SRU mokutil to Precise: DONE
SRU mokutil to Trusty: DONE
SRU efivar to Precise: DONE
SRU efivar to Trusty: DONE
SRU shim-signed to Precise: DONE
SRU shim-signed to Trusty: DONE
SRU shim-signed to Xenial: DONE
SRU dkms to Trusty: DONE
SRU dkms to Xenial: DONE
SRU grub2 to Trusty: DONE
SRU grub2 to Xenial: DONE

Work items for later:
Rotate archive signing keys: TODO
Revoke the old signing key: TODO
Publish new shim with new keys: TODO
figure out how to unmap keyboard for mokutil prompt, since the keymap in UEFI will always be in qwerty: TODO
replace secureboot disabling with support for adding a local user-controlled key to Mok and storing it securely on the system: TODO
Discuss MokManager password entry experience with pjones: INPROGRESS
Complete Yakkety shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS
Complete Xenial shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS
Complete Trusty shim/shim-signed/grub2/grub2-signed SRU: INPROGRESS

This blueprint contains Public information

Everyone can see this information.

Subscribers

Anthony Wong

Ivan Hu

Leann Ogasawara

Mathieu Trudel-Lapierre

Tim Gardner

Victor Perevertkin