Why disabling "Secure Boot" is enforced policy when installing 3rd party modules

This is not a bug, it is a feature.

As Anthony Wong says, when you install a DKMS package you are compiling the package yourself, thus, Canonical cannot sign the module for you.

However, you can definitely use Secure Boot, however this is exactly the use case where Secure Boot is trying to protect you from yourself because it cannot know whether you trust a module or don't.

By default, there is a Platform Key (PK) on your UEFI machine, which is the ultimately trusted Certificate Authority for loading code in your processor.

GRUB, or shim, or other boot mechanisms can be digitally signed by a KEK which is trusted by the root CA (PK), and thus your computer can, without any configuration, boot software like Ubuntu Live USB/DVDs.

On Ubuntu 16.04 the kernel is built with CONFIG_MODULE_SIG_FORCE=1, which means that the kernel will enforce modules to be signed by a trusted key in the platform. Take into consideration that the UEFI platform by default contains a PK that you do not have any control over, and thus you cannot sign binaries with a key recognized by your own machine.

Some people bash and rant against that, but there is really no better way (from a security standpoint) than it being yourself who enrolls the new key you want.

If your boot system uses shim, you can use something called a Machine Owner's Key database, and enroll your key as a MOK (You can do that with mokutil). If you don't, you can also enroll your key in the UEFI database as a signing key.

After you enroll your key, you can sign your DKMS-built package with your MOK (there should be a perl script at /usr/src/kernels/$(uname -r)/scripts/sign-file), and after it is signed, you can load it into the kernel.

Granted, someone should make more visual instructions on this, and probably even make a wizard or a better DKMS standard to allow keys to be taken into consideration, but this is what we have as of now.

You can refer to this explanation on how to sign your own kernel modules: https://askubuntu.com/a/768310/12049


In short, this is not a bug but a new change introduced in 16.04.

Because what you are installing is a dkms package. DKMS modules are compiled on your own machine and so Canonical can't sign the module for you. If Canonical cannot sign it, there is no way to digitally verify it. If you have secure boot turned on, that will mean your module can't be used, and in order to use it, you will have to turn off secure boot, that's why you are getting asked by the question.

For why it only happens in 16.04 but not in previous releases, Rod Smith has given a good answer. In Ubuntu 16.04, Ubuntu starts to enforce secure boot to the kernel level. Before 16.04, Ubuntu does not really enforce you to use signed kernel and signed kernel modules, even you have secure boot turned on. But this is no longer the case in 16.04.

This is the related bug: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1401532

This is the related blueprint: https://blueprints.launchpad.net/ubuntu/+spec/foundations-x-installing-unsigned-secureboot


Another way to do it is to create your own key, insert the public part into the MOK database and sign the modules you compile with the private part. Look here for detailed info: Could not load 'vboxdrv' after upgrade to Ubuntu 16.04 (and I want to keep secure boot)


The accepted answer is very complete, but I'd like to add this simple piece of information, taken from here:

https://askubuntu.com/a/843678/664391

Basically secure boot may prevent you from loading some driver you installed which can be quite frustrating. I have been through this myself: the driver installed correctly, everything seemed to be good to go, but it just didn't work. Took me some time to find it was secure boot's preventing the OS from loading it.