Ubuntu – Has 3.19.0-65 introduced new Secure Boot requirements to 14.04 LTS

dkmskerneluefi

My laptop came with 14.04 (Trusty Tahr) LTS. Since then, I have made no significant changes, and I have been applying updates whenever I was notified of them.

On 2016-07-15, I was applying updates as normal, or so I thought. The "Software Updater" pop-up window had got as far as "Configuring shim-signed", when I got this "Debconf" pop-up:

As you can see it:

says "Configuring Secure Boot" in large lettering
has a "Disable UEFI Secure Boot?" tick-box (check-box)
has a "Help" button
has a "Forward" button

I have never seen this before. I clicked on the "Help" button prior to taking the screenshot, which brought up the 3rd pop-up that you can see.

Help pop-up text

Just in case anyone searches by any of these phrases …

Your system has UEFI Secure Boot enabled. UEFI Secure Boot is not compatible with the use of third-party drivers.

The system will assist you in disabling UEFI Secure Boot. To ensure that this change is being made by you as an authorized user, and not by an attacker, you must choose a password now and then use the same password after reboot to confirm the change.

If you choose to proceed but do not confirm the password upon reboot, Ubuntu will still be able to boot on your system but these third-party drivers will not be available for your hardware.

Subsequent Steps

If I remember correctly, …

After a while I agreed to "Disable UEFI Secure Boot", and clicked the "Forward" button.
This took me directly to a window where I set up a password (entering it twice).
The update process finished in the normal manner, with a pop-up asking me when to restart.
I restarted soon after.
During the boot process, there was a blue screen saying something like "press any key to configure mok".
I pressed a key.
Instead of being asked to provide the password I had set up 5 minutes earlier, as I had been expecting, the laptop just quickly booted up in the normal way.
I logged in to Ubuntu as normal.
The Wi-Fi adapter wasn’t working.
I couldn't start VirtualBox VMs. The error was "Kernel driver not installed".
Various other problems.
I tried restarting again, more than once, but I never saw that blue "configure mok" screen again.
I noted that my current kernel was 3.19.0-65
So I restarted and used grub to select 3.19.0-64
Everything was working fine again.

My Research Notes

Note01 – I looked in my BIOS settings (for the first time on this laptop). Secure Boot appears to be enabled. If "Debconf" had been successful in disabling UEFI Secure Boot, would that have been reflected in the BIOS settings?

Note02 – My laptop is a Dell XPS 13, and other people are reporting problems with 3.19.0-65 on Dell hardware.

Note03 – The update instructions for USN-3037-1 say to upgrade to 3.19.0-65. The final paragraph is:

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

(I am just a user and I don't really understand this. Don't we always get a new version number? And don't we always have to recompile & reinstall – a process managed by DKMS or something?)

Note04 – The changelog for 3.19.0-65.73 has lots of UEFI issues, including changes affecting EFI_SECURE_BOOT_SIG_ENFORCE and CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE

Note05 – Because my kernel version is 3.19, I assume I must be on the trusty linux-lts-vivid LTS enablement stack (??), as per the table here, where 3.19.0-65.73 is currently the latest entry.

Note06 – It seems that someone who is on the trusty linux-lts-wily LTS enablement stack (kernel version 4.2) may have got the same pop-ups, the day before me, but without encountering any subsequent problems.

Note07 – There is an answer from April 2016 which says:

In Ubuntu 16.04, Ubuntu starts to enforce secure boot to the kernel level. Before 16.04, Ubuntu does not really enforce you to use signed kernel and signed kernel modules, even you have secure boot turned on.

Could it be that now, in July 2016, Ubuntu has introduced new Secure Boot requirements to 14.04 LTS? If not, what is the problem I'm having with 3.19.0-65? And either way, what should I (and the other people having problems) do about it?

Thanks!

Best Answer

You are correct. The Canonical Kernel Team has enabled EFI_SECURE_BOOT_SIG_ENFORCE in the new 3.19 Ubuntu kernel.

That prevents from loading unsigned 3rd party kernel modules.

It looks like there is a script with GUI that is supposed to help to disable Secure Boot.

It did not work in your case. It depends on specific UEFI implementation in your computer.

But you can simply disable Secure Boot in your UEFI settings.

See this answer and comments below.

Related Solutions

Ubuntu – Could not load ‘vboxdrv’ after upgrade to Ubuntu 16.04 (and I want to keep secure boot)

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. Because you want to keep Secure Boot, then the next logical step is to sign those modules.

So let's try it.

Create signing keys
```
openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive common name/"
```
Option: for additional security, skip the -nodes switch, which will ask for a password. Then before moving on to the next step, make sure to export KBUILD_SIGN_PIN='yourpassword'
Sign the module (vboxdrv for this example, but repeat for other modules in ls $(dirname $(modinfo -n vboxdrv))/vbox*.ko) for full functionality)
```
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
```

Confirm the module is signed

tail $(modinfo -n vboxdrv) | grep "Module signature appended"

Register the keys to Secure Boot
```
sudo mokutil --import MOK.der
```
which will ask for a password to use to confirm the import in the next step.
Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Confirm the key is enrolled
```
mokutil --test-key MOK.der
```

If VirtualBox still does not load, it may be because the module didn't load (sudo modprobe vboxdrv will fix that) or that the key is not signed. Simply repeat that step and everything should work fine.

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing. @zwets for additional security. @shasha_trn for mentioning all the modules.

Additional resource: I created a bash script for my own use every time virtualbox-dkms upgrades and thus overwrites the signed modules. Check out my vboxsign originally on GitHub.

Ubuntu – UEFI Booting With Encrypted /boot On Ubuntu 14.04 LTS

I was wondering if there is any update about the possibility to encrypt boot next to root, using EFI + Secure boot.

I found https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#Encrypted_boot_partition_.28GRUB.29

But I couldn't adapt the example to fedora 28 (didn't try ubuntu 18.04 so far).