[Bug 1712804] [NEW] 4.12.0-11-generic rejects kernel modules signed with enrolled key

fish Thu, 24 Aug 2017 05:11:24 -0700

Public bug reported:

Hi,


I've been signing my DKMS modules manually for some time and it was
working just fine with 17.04 but since I upgraded to 17.10 and signing
the modules again the kernel rejects them.

Version: Ubuntu 4.12.0-11.12-generic 4.12.5

```
$ sudo mokutil --import MOK.der 
SKIP: MOK.der is already enrolled

$ sudo /usr/src/linux-headers-4.12.0-11-generic/scripts/sign-file sha512
MOK.priv MOK.der /lib/modules/4.12.0-11-generic/updates/dkms/vboxdrv.ko

$ sudo hexdump -C /lib/modules/4.12.0-11-generic/updates/dkms/vboxdrv.ko | tail
00085530  73 59 c9 38 05 53 a3 95  df df c6 ca 93 ef ad 87  |sY.8.S..........|
00085540  38 52 a4 41 4b b6 79 e7  1f 02 49 d7 ba 7c 60 21  |8R.AK.y...I..|`!|
00085550  94 9a b8 c2 d2 73 68 91  fc e8 12 c1 e9 68 21 eb  |.....sh......h!.|
00085560  55 d1 0b 6f 4e 04 ee b2  e7 a7 47 42 07 bb 0e 3b  |U..oN.....GB...;|
00085570  8a fa 9c d0 7f 1e d5 af  92 8a a3 db 13 32 6d f1  |.............2m.|
00085580  c0 c7 6a 31 c6 39 39 14  0d ec 19 73 7e 14 1b e6  |..j1.99....s~...|
00085590  8d 1b 5c 7a 0c 26 00 00  02 00 00 00 00 00 00 00  |..\z.&..........|
000855a0  01 8b 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module signat|
000855b0  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure appended~.|
000855be

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
```

dmesg shows:
```
[260594.834844] PKCS#7 signature not signed with a trusted key
```

It also seems like modinfo doesn't recognize/shows the signing details:

```
$ sudo modinfo /lib/modules/4.12.0-11-generic/updates/dkms/vboxdrv.ko
filename:       /lib/modules/4.12.0-11-generic/updates/dkms/vboxdrv.ko
version:        5.1.26_Ubuntu r117224 (0x002a0000)
license:        GPL
description:    Oracle VM VirtualBox Support Driver
author:         Oracle Corporation
srcversion:     135FF31DCB56FAD62FFCD36
depends:        
vermagic:       4.12.0-11-generic SMP mod_unload 
signat:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
parm:           force_async_tsc:force the asynchronous TSC mode (int)
```

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1712804

Title:
  4.12.0-11-generic rejects kernel modules signed with enrolled key

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1712804/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1712804] [NEW] 4.12.0-11-generic rejects kernel modules signed with enrolled key

Reply via email to