Re-verified trusty since the previous trusty comment was imprecise:
dkms 2.2.0.3-1.1ubuntu5.14.04.10
Upgrading kernel and headers follows with a loadable, properly signed
module using the MOK generated previously.
ubuntu@ubuntu:~$ dpkg -l shim-signed dkms | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version
Architecture Description
+++-=====================================-====================================================-============-===============================================================================
ii dkms 2.2.0.3-1.1ubuntu5.14.04.10
all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~14.04.4+13-0ubuntu2
amd64 Secure Boot chain-loading bootloader
(Microsoft-signed binary)
[...]
Unpacking linux-headers-4.4.0-142-generic (4.4.0-142.168~14.04.1) ...
Setting up linux-headers-4.4.0-142 (4.4.0-142.168~14.04.1) ...
Setting up linux-headers-4.4.0-142-generic (4.4.0-142.168~14.04.1) ...
Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 4.4.0-142-generic
/boot/vmlinuz-4.4.0-142-generic
Nothing to do.
Nothing to do.
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ cat /proc/version_signature
Ubuntu 4.4.0-142.168~14.04.1-generic 4.4.167
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ sudo modprobe bbswitch
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ dmesg | tail
[ 15.036233] audit: type=1400 audit(1550095748.630:15): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=1004 comm="apparmor_parser"
[ 15.036504] audit: type=1400 audit(1550095748.630:16): apparmor="STATUS"
operation="profile_replace" profile="unconfined"
name="/usr/lib/connman/scripts/dhclient-script" pid=1004 comm="apparmor_parser"
[ 15.118903] audit: type=1400 audit(1550095748.714:17): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=1006
comm="apparmor_parser"
[ 15.273612] init: plymouth-upstart-bridge main process ended, respawning
[ 16.272167] random: nonblocking pool is initialized
[ 219.644638] bbswitch: loading out-of-tree module taints kernel.
[ 219.644704] bbswitch: module verification failed: signature and/or required
key missing - tainting kernel
[ 219.645133] bbswitch: version 0.7
[ 219.645146] bbswitch: Found integrated VGA device 0000:00:02.0:
\_SB_.PCI0.VID_
[ 219.645159] bbswitch: No discrete VGA device found
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950
Title:
dkms key enrolled in mok, but dkms module fails to load
Status in dkms package in Ubuntu:
Fix Released
Status in dkms source package in Trusty:
Fix Committed
Status in dkms source package in Xenial:
Fix Committed
Status in dkms source package in Bionic:
Fix Released
Bug description:
[Impact]
All Ubuntu users for whom Secure Boot is enabled.
[Test cases]
1) install dkms module (use virtualbox-dkms for example)
2) Upgrade kernel (for example, install 4.15.0-22-generic on top of
4.15.0-20-generic).
3) Verify that the generated module for the new kernel (4.15.0-22-generic in
this example) is built and signed by verifying that the file in
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature
appended~:
$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail
-n 100
[...]
~Module signature appended~
4) Reboot
5) modprobe -v the module.
It should not respond "Required key not available", and should return with no
error.
6) Verify that dkms does not contain PKCS#7 errors.
[Regression potential]
Possible regressions involve failure to sign and/or be able to load modules
after updates: failure to sign leading to a module being built but unsigned
after a new kernel is installed or after a new DKMS module is installed,
failure to load modules after reboot (usually caused by module being unsigned);
failure to sign due to missing keys, signature key not being automatically
slated for enrollment. All these potential regression scenarios present as
failure to load a DKMS module after a reboot when it should be loaded
successfully.
---
At my last reboot, I was prompted to enable SecureBoot, so I did.
When I booted, however, I noticed that the virtualbox service failed
to start because it couldn't load its kernel module. If I attempt the
same thing, I see that there's an issue with keys:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I do have keys enrolled; `mokutil --list-enrolled` produces
http://paste.ubuntu.com/p/rntTQr5XJV/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
