MSR and SecureBoot

Oh yeah, one thing I forgot since Ubuntu is not my primary distro (and one of the reasons why it’s not): please find a way to allow users to write to MSRs in order to undervolt their CPUs to achieve better battery life without making them disable Secure Boot.
But I already know the answer. It’s not going to happen.

Also as far as I remember some time ago there was a goal on making GDM controls “displayable” on all connected monitors instead of only one (say, laptop’s screen). Finally adding this will drastically improve the usability of GDM.

I don’t understand what you mean with “to write to MSRs”. Do you mean model-specific registers?

But if Secure Boot is blocking some software, the software is either not signed, the public key is not deployed or the public key is revoked.

Yep, I am talking about software like intel-undervolt which cannot work to its full extent without disabling Secure Boot on Ubuntu due to it being a userland tool not allowed to write to those registers. English is not my native language so excuse me if I cannot phrase it correctly, and I am not an engineer to understand the details, but it is just my experience with this tool and info I gathered by reading several discussions on Phoronix and in kernel dev mailing lists.
It has something to do with kernel build options too, like hardening and/or integrity, which are enabled for Ubuntu kernels by default. With those options being unset in Manjaro or Arch, for example, it is possible to write to MSRs even with Secure Boot enabled (custom keys).
Working on this task implies close cooperation with upstream kernel development team because I guess Ubuntu team unlikely wants to invent a wheel. Iirc that was discussed some time ago but no solution was proposed or pushed in upstream, so Ubuntu could apply some pressure or I don’t know what else and who else could promote thing like this.

This could be a real desktop- (well, laptop) oriented thing to do since servers are fine with situation as it is now, but regular laptop users just watch their notebooks run with suboptimal performance and/or consume battery power too much when we of course would have preferred higher clocks and less power consumption – which is often possible and easily doable (e.g. in Windows).

Arch and Manjaro do not use Secure Boot by default. They don’t have a Arch and/or Manjaro specific signed shim package.

For the kernel options: I think you mean (the output is obtained from Arch)

zgrep MSR /proc/config.gz

If they are not enabled for Ubuntu kernel, I think you need to open a launchpad bug report and explain why they are needed (I guess, only the first two are relevant).

If you use custom keys and are blindly signing binaries with them, then you just have a “Signed Boot” and not really a “Secure Boot”. In this case, you can also disable Secure Boot as it doesn’t really add any security.

Ubuntu has its own signed shim and uses the MokManager (MOK = Machine-owner key). Disabling Secure Boot will be less secure, because shim, the bootloader and kernel should be correctly signed.
With the MokManager, you can add your own keys and use them to sign additional kernel modules and binaries manually.

I don’t find intel-undervolt in the Ubuntu repositories. I guess, you are taking it from GitHub and therefore you have to manually sign it.
Even when it is packaged one day, it will probably be part of the universe repo and Ubuntu/Canonical isn’t responsible to sign these binaries (I may be wrong). But I guess it could be automated to generate a new key and enroll it.

I do not use undervolting and my main PC does not have an Intel CPU. I therefore have no experience with it. So I cannot help you further. But as a starting point, have a look at:

Thanks for trying to help, but this wasn’t supposed to be a support thread, splitting it by @ian-weisser could imply that but it was a wrong move since the above was my proposal for improvements and I kinda “knew” what I was talking about based on my experience with the tool and reading dev’s lists. And the first post contains another proposal – on looking into GDM multi-screen improvements. It also got lost with that splitting of topics…

This is not about signing kernel modules… I haven’t ever signed any btw. Neither about shim and/or MokManager… It’s about a way to allow userland programs to deal with MSRs. Any step in that direction from any kernel dev would’ve been much appreciated. I wrote this to Ubuntu devs since I assumed them to be the most interested in improving desktop Linux experience.

Once again thank you for trying to help but just move on.
As I said in the very beginning, “But I already know the answer. It’s not going to happen.” Cutting my post from users’ feedback thread and turning it into a separate discussion kinda confirmed my expectations.

So to be clear on this topic: the story I referred to is described here: