I have EFI system with my own keys and Canonical keys in db. Today I realize that EFI system or grub allows to run unsigned kernel. Is that good? I have a vmlinuz-4.8.0-27-lowlatency.efi.signed which is signed by Canonical and vmlinuz-4.8.0-28-lowlatency which is unsigned. Both is working. But how? Is Secure Boot should be break load unsigned kernel?
Asked
Active
Viewed 608 times
0
QkiZ
- 1,227
-
https://wiki.ubuntu.com/SecurityTeam/SecureBoot#Verifying_the_signature_on_a_signed_PE.2FCOFF_or_signed_kernel_image . It will boot an unsigned kernel and unsigned kernel modules if secure boot is disabled in your bios. – Panther Nov 16 '16 at 19:35
-
"confirm that Secure Boot was enabled by reading /sys/kernel/security/securelevel, which will contain 1 if it was" - https://womble.decadent.org.uk/blog/experiments-with-signed-kernels-and-modules-in-debian.html – Panther Nov 16 '16 at 19:38
-
What version Ubuntu are you running? I thought 16.04 started complaining about unsigned kernel modules (like Nvidia) with secure boot enabled. – ubfan1 Nov 16 '16 at 20:11
-
Secure boot is enabled. Keys are in PK. I running Ubuntu 16.10. Yes, from 16.04 I sign modules by myself, my keys are in db so Nvidia or Virtual Box works without any problems. But now I see that I'm able to load unsigned Linux image and then load unsigned modules. – QkiZ Nov 16 '16 at 20:26
-
So secure boot is not working. File a bug report - https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532 – Panther Nov 16 '16 at 21:22