[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#989460: shim-signed encourages disabling Secure Boot if dkms installed



Package: shim-signed
Version: 1+2.04+17

When upgrading a bullseye installation on a machine with dkms
installed, an update to shim-signed posted the following pop-up for me
twice:
---
UEFI Secure Boot is not compatible with the use of third-party drivers.

The system will assist you in toggling UEFI Secure Boot. To ensure
that this change is being made by you as an authorized user, and not
by an attacker, you must choose a password now and then use the same
password after reboot to confirm the change.

If you choose to proceed but do not confirm the password upon reboot,
the Secure Boot configuration will not be changed, and the machine
will continue booting as before.

If Secure Boot remains enabled on your system, your system may still
boot but any hardware that requires third-party drivers to work
correctly may not be usable.
---

Apart from the bit where this was completely not needed (kernel image
didn't change),
this message is misleading. Debian *cannot* disable UEFI Secure Boot.
What happens is that
shim disables verification, and the kernel ends up not enabling lockdown mode.

My concern is that the vagueness of the description, coupled with the
vast of amount of documentation online (including the Debian wiki)
casually suggesting disabling Secure Boot if there are any isuse, will
lead to users with perfectly functioning secure installations manually
disabling UEFI Secure Boot on reboot.

What this text *should* be saying is something like:
---
Third-party drivers must be manually signed/installed for newly
installed kernels

The system will assist you in disabling kernel image/module
verification. To ensure that this change is being made by you as an
authorized user, and not by an attacker, you must choose a password
now and then use the same password after reboot to confirm the change.

If you choose to proceed but do not confirm the password upon reboot,
the kernel image/module
verification configuration will not be changed, and the machine will
continue booting as before.

If kernel image/module verification remains enabled on your system,
your system may still boot but any hardware that requires third-party
drivers to work correctly may not be usable.
---


Reply to: