kernel - Why disabling "Secure Boot" is enforced policy when installing 3rd party modules - Ask Ubuntu
when installing 16.04, asked turn off "secure boot" if wanted install 3rd party modules/drivers.
i did not comply.
and when installed manually 3rd party drivers use (bcmwl-kernel-source), asked again (during installation of package) turn off "secure boot".
using bcmwl-kernel-source fine secure boot in 15.10. not seem related bug me.
so ubuntu refuse sign anymore 3rd party drivers/modules make work (??) "secure boot". or seem consider 3rd party modules insecure , breaking "secure boot" hence inforcing disable make clear ?? right ?
this not bug, feature.
as anthony wong says, when install dkms package compiling package yourself, thus, canonical cannot sign module you.
however, can use secure boot, use case secure boot trying protect because cannot know whether trust module or don't.
by default, there platform key (pk) on uefi machine, trusted certificate authority loading code in processor.
grub, or shim, or other boot mechanisms can digitally signed kek trusted root ca (pk), , computer can, without configuration, boot software ubuntu live usb/dvds.
on ubuntu 16.04 kernel built config_module_sig_force=1, means the kernel enforce modules signed trusted key in platform. take consideration uefi platform default contains pk not have control over, , cannot sign binaries key recognized own machine.
some people bash , rant against that, there no better way (from security standpoint) being enrolls new key want.
if boot system uses shim, can use called machine owner's key database, , enroll key mok (you can mokutil). if don't, can enroll key in uefi database signing key.
after enroll key, can sign dkms-built package mok (there should perl script @ /usr/src/kernels/$(uname -r)/scripts/sign-file
), , after signed, can load kernel.
granted, should make more visual instructions on this, , make wizard or better dkms standard allow keys taken consideration, have of now.
Comments
Post a Comment