Debian Live, Secure Boot, Kernel Lockdown and DKMS

To: <debian-efi@lists.debian.org>
Subject: Debian Live, Secure Boot, Kernel Lockdown and DKMS
From: Ronny Standtke <ronny.standtke@inf.unibe.ch>
Date: Sat, 24 Aug 2019 00:35:55 +0200
Message-id: <[🔎] 8f155522-80e4-4b93-1061-0a232899012e@inf.unibe.ch>

Hi all

I am working at the University of Bern, Switzerland, where we maintain a distribution based on Debian Live (called "Lernstick", see here: http://www.lernstick.ch). It is mainly used in BYOD scenarios for learning and exam environments. That means our users are mostly IT beginners and we don't dare to change the firmware settings of the laptops. So disabling Secure Boot or enrolling MOK keys is no option here.

Therefore in 2014 we got our own shim signed by Microsoft. In these good old times it was OK to use it in combination with a grub that loads unsigned kernels. We included some DKMS drivers for better hardware compatibility (e.g. broadcom-sta and several generations of the proprietary nvidia drivers) or for virtualization (virtualbox). Until recently this combination was running really good. But in the last couple of months we run into more and more laptops that fail to boot with our old shim (v0.7) but boot fine with current shim versions.

Therefore we tried the new signed shim/grub/kernel combo in Debian buster. Thank you for all the work you put into this, it looks really promising. Unfortunately, the fact that Secure Boot enforces Kernel Lockdown where we can't load the necessary DKMS modules makes it impossible to use for us. When I searched for solutions I came across:

disabling Secure Boot in the firmware (not possible for us)
enrolling MOK keys (not possible for us)
disabling lockdown by pressing Alt-SysRq-x (too late in the boot process for us)

Is there any other way to disable Kernel Lockdown so early in the boot process that the drivers we need get loaded?

If not, is there any way that some Debian maintainer can help us poor souls and provide signed versions of broadcom-sta, virtualbox and nvidia drivers?

If not, is there any way that we can get a signed kernel where lockdown is disabled per default?

BTW, I just came across this article from a year ago where several kernel developers expressed concerns about the current approach to Kernel Lockdown. They already forsaw our current problem:
https://www.linuxjournal.com/content/good-lockdown-vs-bad

Could you keep me in CC as I'm not subscribed to the debian-efi mailing list?

Best regards

Ronny

--
Universität Bern Institut für Informatik Forschungsstelle Digitale Nachhaltigkeit Dr. Ronny Standtke Bereichsleiter Lernstick Schützenmattstrasse 14 CH-3012 Bern Telefon +41 79 786 81 82 (Direkt) Telefon +41 31 631 47 71 (Sekretariat) ronny.standtke@inf.unibe.ch http://www.digitale-nachhaltigkeit.unibe.ch

Reply to:

Prev by Date: Asunto: confirme sus datos
Next by Date: Bug#936002: shim-signed FTBFS with DEB_BUILD_OPTIONS=nocheck
Previous by thread: Asunto: confirme sus datos
Next by thread: Bug#936002: shim-signed FTBFS with DEB_BUILD_OPTIONS=nocheck
Index(es):
- Date
- Thread