5

I have a strange behavior after upgrading my PC from wily to xenial (both Kubuntu flavor). Before and after the upgrade I have two "ubuntu" boot options in my BIOS. Here you can see the values behind each entry under xenial:

stephane@nausicaa:~$ sudo efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0000
Boot0000  ubuntu        HD(1,GPT,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,0x800,0x64000)/File(\EFI\ubuntu\shimx64.efi)
Boot0002* ubuntu        HD(1,GPT,xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx,0x800,0x64000)/File(EFI\Ubuntu\grubx64.efi)

With wily I have been using shimx64 (first entry) and the NVIDIA proprietary driver without issues. Since the upgrade to xenial shimx64 (first entry) doesn't load the NVIDIA proprietary driver. I have to use grubx64 instead (second entry).

When I use grubx64 I find the following entries for "nvidia" or "NVRM" in the kernel log:

nvidia: module license 'NVIDIA' taints kernel.
nvidia: module verification failed: signature and/or required key missing - tainting kernel
[drm] Initialized nvidia-drm 0.0.0 20150116 for 0000:01:00.0 on minor 0
NVRM: loading NVIDIA UNIX x86_64 Kernel Module  340.96  Sun Nov  8 22:33:28 PST 2015
nvidia_uvm: Loaded the UVM driver, major device number 245
NVRM: Your system is not currently configured to drive a VGA console
NVRM: on the primary VGA device. The NVIDIA Linux graphics driver
NVRM: requires the use of a text-mode VGA console. Use of other console
NVRM: drivers including, but not limited to, vesafb, may result in
NVRM: corruption and stability problems, and is not supported.

When I use shimx64 there is no entry for "nvidia" or "NVRM" in the kernel log, not even error messages.

I used to believe that shimx64 is just a signed chainloader for grubx64 but from the differences in the kernel log it is obviously not so simple. Does anyone has an explanation for what happens there? Could it have something to do with digital signature of the drivers?

Stéphane Tréboux
  • 2,979

1 Answers1

6

NVIDIA does not sign its proprietary video driver. The Linux kernel always checks for signatures in kernel modules, even with secure boot disabled. When I use grubx64 I can see this message:

kernel: nvidia: module verification failed: signature and/or required key missing - tainting kernel

This is not an error since secure boot is disabled; the NVIDIA proprietary video driver still works. The funny part is that when I use shimx64 this message does not appear. The NVIDIA driver is skipped by the kernel without any message. I can tell that secure boot is enabled because of this message:

kernel: Secure boot enabled
Stéphane Tréboux
  • 2,979
  • I just found background information for my problem: http://askubuntu.com/a/765601/402224 – Stéphane Tréboux Jul 14 '16 at 08:30
  • And BTW here is how I swapped the boot order in my UEFI and "fixed" the issue: sudo efibootmgr -o 1,0 – Stéphane Tréboux Jul 14 '16 at 08:36
  • seems like a vulnerability to me – lurscher May 19 '18 at 16:35
  • Honestly I don't understand which part of secure boot is secure. To me it looks more like a self-imposed quality check for proprietary operating systems, primarily Microsoft Windows. If an attacker manages to do system changes (requiring root) like installing a compromised driver he may as well install his own keys and run anything he wants or use shim which will happily give the control to any boot manager (see https://mjg59.dreamwidth.org/20303.html). Secure boot does not prevent your computer from running compromised software, it only requires the binaries to be signed. – Stéphane Tréboux May 19 '18 at 19:01
  • After each driver update, sign each of /lib/modules/x.y.z/updates/dkms/nvidia*.ko manually using kmodsign or automatically with apt install shim-signed. – Joel Purra Apr 18 '19 at 14:31
  • Yes, but what is the benefit of that? An attacker who manages to manipulate your system locally (root privilege) can generate a valid signature too; an attacker who remotely manipulates the installation package (taking over the repo) goes undetected.The only point I could see if NVIDIA would provide the signature (they don't) and the end user would only have to install once their root of trust OR if you are using more modules who are doing it correctly (provide the signature and a root of trust) and you want to have them checked even though the NVIDIA driver cannot be effectively checked. – Stéphane Tréboux Feb 21 '21 at 00:47