Secure boot can be used against several security threats when malware modifies the firmware of the system. It may be inadvertently disabled by the user or intentionally disabled by the software. Consequently, the system and user data were exposed to danger. If gnome-shell could appropriately show the notifications in the GDM login dialog, it gives the user a chance to stop login into the system and prevent data leakage.
This work proposed a warning image and critical notification in GDM login dialog when secure boot is disabled. After the user login to a secure boot disabled system, a notification with a button will be shown and takes the user to the firmware security setting panel for the details. Also, the notification in the user workspace can be disabled by the user through gsettings. If "org.gnome.shell.sb-check" is set to false, the notification in the user workspace will be disabled. It also can be disabled globally for system testing reasons through kernel parameters. If "sb-check=false" is put to kernel parameter, all the checks of the secure boot will be utterly disabled.
Signed-off-by: Kate Hsuan hpa@redhat.com
The UX design could be found here
