This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.10
---------------
dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium
* debian/patches/shim_secureboot_support.patch:
- Move to signing just after module build to ensure it correctly applies
at kernel update times. (LP: #1772950)
- Generate a new MOK if there isn't one yet, and use that so sign
newly-built kernel modules. (LP: #1748983)
* debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both
are updated in lock-step since the changes above require a new version of
update-secureboot-policy to correctly generate the new MOK and enroll it
in firmware.
-- Mathieu Trudel-Lapierre <[email protected]> Mon, 28 Jan 2019
11:05:49 -0500
** Changed in: dkms (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950
Title:
dkms key enrolled in mok, but dkms module fails to load
Status in dkms package in Ubuntu:
Fix Released
Status in dkms source package in Trusty:
Fix Released
Status in dkms source package in Xenial:
Fix Committed
Status in dkms source package in Bionic:
Fix Released
Bug description:
[Impact]
All Ubuntu users for whom Secure Boot is enabled.
[Test cases]
1) install dkms module (use virtualbox-dkms for example)
2) Upgrade kernel (for example, install 4.15.0-22-generic on top of
4.15.0-20-generic).
3) Verify that the generated module for the new kernel (4.15.0-22-generic in
this example) is built and signed by verifying that the file in
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature
appended~:
$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail
-n 100
[...]
~Module signature appended~
4) Reboot
5) modprobe -v the module.
It should not respond "Required key not available", and should return with no
error.
6) Verify that dkms does not contain PKCS#7 errors.
[Regression potential]
Possible regressions involve failure to sign and/or be able to load modules
after updates: failure to sign leading to a module being built but unsigned
after a new kernel is installed or after a new DKMS module is installed,
failure to load modules after reboot (usually caused by module being unsigned);
failure to sign due to missing keys, signature key not being automatically
slated for enrollment. All these potential regression scenarios present as
failure to load a DKMS module after a reboot when it should be loaded
successfully.
---
At my last reboot, I was prompted to enable SecureBoot, so I did.
When I booted, however, I noticed that the virtualbox service failed
to start because it couldn't load its kernel module. If I attempt the
same thing, I see that there's an issue with keys:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I do have keys enrolled; `mokutil --list-enrolled` produces
http://paste.ubuntu.com/p/rntTQr5XJV/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
