subject:"\[Kernel\-packages\] \[Bug 1772950\] Re\: dkms key enrolled in mok, but dkms module fails to load"

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-14 Thread Launchpad Bug Tracker

This bug was fixed in the package dkms - 2.2.0.3-2ubuntu11.6

---
dkms (2.2.0.3-2ubuntu11.6) xenial; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
- Move to signing just after module build to ensure it correctly applies
  at kernel update times. (LP: #1772950)
- Generate a new MOK if there isn't one yet, and use that so sign
  newly-built kernel modules. (LP: #1748983)

 -- Mathieu Trudel-Lapierre   Mon, 28 Jan 2019
10:21:09 -0500

** Changed in: dkms (Ubuntu Xenial)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in dkms source package in Xenial:
  Fix Released
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-14 Thread Launchpad Bug Tracker

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.10

---
dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
- Move to signing just after module build to ensure it correctly applies
  at kernel update times. (LP: #1772950)
- Generate a new MOK if there isn't one yet, and use that so sign
  newly-built kernel modules. (LP: #1748983)
  * debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both
are updated in lock-step since the changes above require a new version of
update-secureboot-policy to correctly generate the new MOK and enroll it
in firmware.

 -- Mathieu Trudel-Lapierre   Mon, 28 Jan 2019
11:05:49 -0500

** Changed in: dkms (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-13 Thread Mathieu Trudel-Lapierre

Re-verified trusty since the previous trusty comment was imprecise:

dkms 2.2.0.3-1.1ubuntu5.14.04.10

Upgrading kernel and headers follows with a loadable, properly signed
module using the MOK generated previously.

ubuntu@ubuntu:~$ dpkg -l shim-signed dkms | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name  Version   
   Architecture Description
+++-=---===
ii  dkms  2.2.0.3-1.1ubuntu5.14.04.10   
   all  Dynamic Kernel Module Support Framework
ii  shim-signed   1.33.1~14.04.4+13-0ubuntu2
   amd64Secure Boot chain-loading bootloader 
(Microsoft-signed binary)

[...]

Unpacking linux-headers-4.4.0-142-generic (4.4.0-142.168~14.04.1) ...
Setting up linux-headers-4.4.0-142 (4.4.0-142.168~14.04.1) ...
Setting up linux-headers-4.4.0-142-generic (4.4.0-142.168~14.04.1) ...
Examining /etc/kernel/header_postinst.d.
run-parts: executing /etc/kernel/header_postinst.d/dkms 4.4.0-142-generic 
/boot/vmlinuz-4.4.0-142-generic
Nothing to do.
Nothing to do.
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ cat /proc/version_signature 
Ubuntu 4.4.0-142.168~14.04.1-generic 4.4.167
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ sudo modprobe bbswitch
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:/lib/modules/4.4.0-142-generic$ dmesg | tail
[   15.036233] audit: type=1400 audit(1550095748.630:15): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="/usr/lib/connman/scripts/dhclient-script" pid=1004 comm="apparmor_parser"
[   15.036504] audit: type=1400 audit(1550095748.630:16): apparmor="STATUS" 
operation="profile_replace" profile="unconfined" 
name="/usr/lib/connman/scripts/dhclient-script" pid=1004 comm="apparmor_parser"
[   15.118903] audit: type=1400 audit(1550095748.714:17): apparmor="STATUS" 
operation="profile_load" profile="unconfined" name="/usr/sbin/tcpdump" pid=1006 
comm="apparmor_parser"
[   15.273612] init: plymouth-upstart-bridge main process ended, respawning
[   16.272167] random: nonblocking pool is initialized
[  219.644638] bbswitch: loading out-of-tree module taints kernel.
[  219.644704] bbswitch: module verification failed: signature and/or required 
key missing - tainting kernel
[  219.645133] bbswitch: version 0.7
[  219.645146] bbswitch: Found integrated VGA device :00:02.0: 
\_SB_.PCI0.VID_
[  219.645159] bbswitch: No discrete VGA device found


** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-13 Thread Mathieu Trudel-Lapierre

Verification-done on xenial:

dkms 2.2.0.3-2ubuntu11.6

Upgraded kernel to hwe kernel, drivers can still be loaded from the
right versioned directory for the kernel and loads succesfully --
signature is validated fined as the kernel module is signed.

ubuntu@ubuntu:~$ dpkg -l shim-signed dkms | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name   Version   Architecture 
Description
+++-==-=--==
ii  dkms   2.2.0.3-2ubuntu11.6   all  
Dynamic Kernel Module Support Framework
ii  shim-signed1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64
Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo modprobe bbswitch 
[sudo] password for ubuntu: 
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[7.551980] wlp3s0: waiting for beacon from fc:ec:da:3c:dd:85
[7.654548] wlp3s0: associate with fc:ec:da:3c:dd:85 (try 1/3)
[7.656500] wlp3s0: RX AssocResp from fc:ec:da:3c:dd:85 (capab=0x411 
status=0 aid=3)
[7.676864] wlp3s0: associated
[7.676917] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[   17.687856] random: nonblocking pool is initialized
[  122.752094] bbswitch: loading out-of-tree module taints kernel.
[  122.752723] bbswitch: version 0.8
[  122.752745] bbswitch: Found integrated VGA device :00:02.0: 
\_SB_.PCI0.VID_
[  122.752767] bbswitch: No discrete VGA device found


ubuntu@ubuntu:~$ cat /proc/version_signature 
Ubuntu 4.4.0-143.169-generic 4.4.170
ubuntu@ubuntu:~$ sudo insmod 
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko 
insmod: ERROR: could not insert module 
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko: No such device
ubuntu@ubuntu:~$ dmesg |tail
[7.676864] wlp3s0: associated
[7.676917] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[   17.687856] random: nonblocking pool is initialized
[  122.752094] bbswitch: loading out-of-tree module taints kernel.
[  122.752723] bbswitch: version 0.8
[  122.752745] bbswitch: Found integrated VGA device :00:02.0: 
\_SB_.PCI0.VID_
[  122.752767] bbswitch: No discrete VGA device found
[  221.958525] bbswitch: version 0.8
[  221.958540] bbswitch: Found integrated VGA device :00:02.0: 
\_SB_.PCI0.VID_
[  221.958554] bbswitch: No discrete VGA device found
ubuntu@ubuntu:~$ sudo hexdump -Cv  
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko | tail
5740  40 ac 93 85 cb 5f 1e 3e  6b 7b db 62 86 66 ea 81  |@_.>k{.b.f..|
5750  1e 9a 9a 1e a6 05 dc e1  18 dd 27 40 27 42 31 9f  |..'@'B1.|
5760  fd 54 ac 4a f6 26 21 32  f3 b4 52 70 f4 79 a6 0d  |.T.J.&!2..Rp.y..|
5770  c9 75 93 46 a5 2b ed fe  ef a1 68 97 c0 e0 67 c7  |.u.F.+h...g.|
5780  32 f7 4c c9 6d 0a 00 29  ce 87 a0 0a 95 be f1 4b  |2.L.m..)...K|
5790  c3 2e 6b df 7f a5 b7 67  55 27 cb bf a8 ea 51 7b  |..kgU'Q{|
57a0  a6 3e 00 00 02 00 00 00  00 00 00 00 01 a2 7e 4d  |.>~M|
57b0  6f 64 75 6c 65 20 73 69  67 6e 61 74 75 72 65 20  |odule signature |
57c0  61 70 70 65 6e 64 65 64  7e 0a|appended~.|
57ca

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-13 Thread Mathieu Trudel-Lapierre

Verification-done on trusty:

dkms/2.2.0.3-1.1ubuntu5.14.04.10

I've installed bbswitch on a test UEFI system, upgraded the kernel to a
newer version (ie. linux-image-hwe-trusty-generic) and was still able to
load the module in; the module in the updates/dkms directory for the
kernel version is clearly a signed copy.

ubuntu@ubuntu:~$ dpkg -l dkms shim-signed | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==-=--==
ii dkms 2.2.0.3-2ubuntu11.6 all Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64 Secure Boot 
chain-loading bootloader (Microsoft-signed binary)

[  173.890220] usbcore: registered new interface driver asic0x
[  356.605416] bbswitch: version 0.7
[  356.605431] bbswitch: Found integrated VGA device :00:02.0: 
\_SB_.PCI0.VID_
[  356.605443] bbswitch: No discrete VGA device found


** Tags removed: verification-needed verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-05 Thread Brian Murray

Hello Dan, or anyone else affected,

Accepted dkms into trusty-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-1.1ubuntu5.14.04.10 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-trusty to verification-done-trusty. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-trusty. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: dkms (Ubuntu Trusty)
   Status: New => Fix Committed

** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Committed
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2019-02-05 Thread Brian Murray

Hello Dan, or anyone else affected,

Accepted dkms into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.6 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: dkms (Ubuntu Xenial)
   Status: New => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-30 Thread Launchpad Bug Tracker

This bug was fixed in the package dkms - 2.3-3ubuntu9.1

---
dkms (2.3-3ubuntu9.1) bionic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: move sign
code to dkms script itself, so it also applies on kernel upgrades.
(LP: #1772950)

 -- Mathieu Trudel-Lapierre   Wed, 23 May 2018
13:15:53 -0400

** Changed in: dkms (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-30 Thread Mathieu Trudel-Lapierre

Verification-done on bionic:

ii  dkms   2.3-3ubuntu9.1   
all  Dynamic Kernel Module Support Framework
ii  virtualbox-dkms5.2.10-dfsg-6
all  x86 virtualization solution - kernel mod

I have verified that with the old dkms, kernel upgrades lead to an
unsigned vboxdrv module; and with the new dkms, kernel upgrades do have
signed modules that load correctly with SecureBoot enabled.

** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done-bionic

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Bionic:
  Fix Committed

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-27 Thread Francis Ginther

** Tags added: id-5b05a00120e543dc26a03df7

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Bionic:
  Fix Committed

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-26 Thread Francis Ginther

** Tags added: id-5b0593ddfc4d344a05f862a7

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Bionic:
  Fix Committed

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-24 Thread Steve Langasek

Hello Dan, or anyone else affected,

Accepted dkms into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/dkms/2.3-3ubuntu9.1 in
a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-bionic to verification-done-bionic. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-bionic. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: dkms (Ubuntu Bionic)
   Status: New => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Bionic:
  Fix Committed

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Launchpad Bug Tracker

This bug was fixed in the package dkms - 2.3-3ubuntu10

---
dkms (2.3-3ubuntu10) cosmic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: move sign
code to dkms script itself, so it also applies on kernel upgrades.
(LP: #1772950)

 -- Mathieu Trudel-Lapierre   Wed, 23 May 2018
13:15:53 -0400

** Changed in: dkms (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Mathieu Trudel-Lapierre

** Description changed:

+ [Impact]
+ All Ubuntu users for whom Secure Boot is enabled.
+ 
+ [Test cases]
+ 1) install dkms module (use virtualbox-dkms for example)
+ 2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
+ 3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:
+ 
+ $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
+ [...]
+ ~Module signature appended~
+ 
+ 4) Reboot
+ 5) modprobe -v the module.
+ It should not respond "Required key not available", and should return with no 
error.
+ 6) Verify that dkms does not contain PKCS#7 errors.
+ 
+ 
+ [Regression potential]
+ Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.
+ 
+ ---
+ 
  At my last reboot, I was prompted to enable SecureBoot, so I did.
  
  When I booted, however, I noticed that the virtualbox service failed to
  start because it couldn't load its kernel module.  If I attempt the same
  thing, I see that there's an issue with keys:
  
  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available
  
  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 
4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in 
this example) is built and signed by verifying that the file in 
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature 
appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail 
-n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no 
error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules 
after updates: failure to sign leading to a module being built but unsigned 
after a new kernel is installed or after a new DKMS module is installed, 
failure to load modules after reboot (usually caused by module being unsigned); 
failure to sign due to missing keys, signature key not being automatically 
slated for enrollment. All these potential regression scenarios present as 
failure to load a DKMS module after a reboot when it should be loaded 
successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Steve Langasek

** Changed in: dkms (Ubuntu)
 Assignee: (unassigned) => Mathieu Trudel-Lapierre (cyphermox)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Dan Watkins

I can confirm that the new module isn't signed at all:

$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail -n 
100 | pastebinit
http://paste.ubuntu.com/p/BFSg9DsqR8/

Contrast with a previous kernel that was installed when virtualbox was
last upgraded:

$ hexdump -Cv /lib/modules/4.15.0-15-generic/updates/dkms/vboxdrv.ko | tail -n 
100 | pastebinit
http://paste.ubuntu.com/p/W8WyVTd2zc/

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Steve Langasek

The dkms package's shim integration only happens in
/usr/lib/dkms/common.postinst.  It appears this code is only triggered
on installation of a dkms package; this code path is not used as part of
the kernel postinst hook when building modules for a newly-installed
kernel - that hook only calls /usr/lib/dkms/dkms_autoinstaller .

Marking this critical, since this means users will lose their dkms
modules on kernel upgrade.

** Changed in: dkms (Ubuntu)
   Status: New => Triaged

** Changed in: dkms (Ubuntu)
   Importance: High => Critical

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Steve Langasek

Based on timestamp info provided out of band,
/lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko was generated as
part of the kernel install via /etc/kernel/postinst.d/dkms, despite the
lack of verbosity.

** Changed in: dkms (Ubuntu)
   Status: Incomplete => New

** Changed in: dkms (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Steve Langasek

The logs show the new kernel being installed, but show no dkms module
building at time of kernel install.  That seems strange to me.  We
should figure out what generated
/lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko and when and why
it's not correctly signed.

** Changed in: dkms (Ubuntu)
   Status: New => Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Triaged

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

2018-05-23 Thread Dan Watkins

term.log for installation of my current kernel:
https://paste.ubuntu.com/p/3TVVFpFSNX/

term.log from the last time I see virtualbox DKMS stuff happening:
https://paste.ubuntu.com/p/7f7p6t48pn/

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Incomplete

Bug description:
  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

[Kernel-packages] [Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

20 matches

Site Navigation

Mail list logo

Footer information