Verification-done on xenial:
dkms 2.2.0.3-2ubuntu11.6
Upgraded kernel to hwe kernel, drivers can still be loaded from the
right versioned directory for the kernel and loads succesfully --
signature is validated fined as the kernel module is signed.
ubuntu@ubuntu:~$ dpkg -l shim-signed dkms | cat
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture
Description
+++-==============-=============================================-============-==============================================================
ii dkms 2.2.0.3-2ubuntu11.6 all
Dynamic Kernel Module Support Framework
ii shim-signed 1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64
Secure Boot chain-loading bootloader (Microsoft-signed binary)
ubuntu@ubuntu:~$ sudo modprobe bbswitch
[sudo] password for ubuntu:
modprobe: ERROR: could not insert 'bbswitch': No such device
ubuntu@ubuntu:~$ dmesg | tail
[ 7.551980] wlp3s0: waiting for beacon from fc:ec:da:3c:dd:85
[ 7.654548] wlp3s0: associate with fc:ec:da:3c:dd:85 (try 1/3)
[ 7.656500] wlp3s0: RX AssocResp from fc:ec:da:3c:dd:85 (capab=0x411
status=0 aid=3)
[ 7.676864] wlp3s0: associated
[ 7.676917] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[ 17.687856] random: nonblocking pool is initialized
[ 122.752094] bbswitch: loading out-of-tree module taints kernel.
[ 122.752723] bbswitch: version 0.8
[ 122.752745] bbswitch: Found integrated VGA device 0000:00:02.0:
\_SB_.PCI0.VID_
[ 122.752767] bbswitch: No discrete VGA device found
ubuntu@ubuntu:~$ cat /proc/version_signature
Ubuntu 4.4.0-143.169-generic 4.4.170
ubuntu@ubuntu:~$ sudo insmod
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko
insmod: ERROR: could not insert module
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko: No such device
ubuntu@ubuntu:~$ dmesg |tail
[ 7.676864] wlp3s0: associated
[ 7.676917] IPv6: ADDRCONF(NETDEV_CHANGE): wlp3s0: link becomes ready
[ 17.687856] random: nonblocking pool is initialized
[ 122.752094] bbswitch: loading out-of-tree module taints kernel.
[ 122.752723] bbswitch: version 0.8
[ 122.752745] bbswitch: Found integrated VGA device 0000:00:02.0:
\_SB_.PCI0.VID_
[ 122.752767] bbswitch: No discrete VGA device found
[ 221.958525] bbswitch: version 0.8
[ 221.958540] bbswitch: Found integrated VGA device 0000:00:02.0:
\_SB_.PCI0.VID_
[ 221.958554] bbswitch: No discrete VGA device found
ubuntu@ubuntu:~$ sudo hexdump -Cv
/lib/modules/4.4.0-143-generic/updates/dkms/bbswitch.ko | tail
00005740 40 ac 93 85 cb 5f 1e 3e 6b 7b db 62 86 66 ea 81 |@...._.>k{.b.f..|
00005750 1e 9a 9a 1e a6 05 dc e1 18 dd 27 40 27 42 31 9f |..........'@'B1.|
00005760 fd 54 ac 4a f6 26 21 32 f3 b4 52 70 f4 79 a6 0d |.T.J.&!2..Rp.y..|
00005770 c9 75 93 46 a5 2b ed fe ef a1 68 97 c0 e0 67 c7 |.u.F.+....h...g.|
00005780 32 f7 4c c9 6d 0a 00 29 ce 87 a0 0a 95 be f1 4b |2.L.m..).......K|
00005790 c3 2e 6b df 7f a5 b7 67 55 27 cb bf a8 ea 51 7b |..k....gU'....Q{|
000057a0 a6 3e 00 00 02 00 00 00 00 00 00 00 01 a2 7e 4d |.>............~M|
000057b0 6f 64 75 6c 65 20 73 69 67 6e 61 74 75 72 65 20 |odule signature |
000057c0 61 70 70 65 6e 64 65 64 7e 0a |appended~.|
000057ca
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to dkms in Ubuntu.
https://bugs.launchpad.net/bugs/1772950
Title:
dkms key enrolled in mok, but dkms module fails to load
Status in dkms package in Ubuntu:
Fix Released
Status in dkms source package in Trusty:
Fix Committed
Status in dkms source package in Xenial:
Fix Committed
Status in dkms source package in Bionic:
Fix Released
Bug description:
[Impact]
All Ubuntu users for whom Secure Boot is enabled.
[Test cases]
1) install dkms module (use virtualbox-dkms for example)
2) Upgrade kernel (for example, install 4.15.0-22-generic on top of
4.15.0-20-generic).
3) Verify that the generated module for the new kernel (4.15.0-22-generic in
this example) is built and signed by verifying that the file in
/lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature
appended~:
$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail
-n 100
[...]
~Module signature appended~
4) Reboot
5) modprobe -v the module.
It should not respond "Required key not available", and should return with no
error.
6) Verify that dkms does not contain PKCS#7 errors.
[Regression potential]
Possible regressions involve failure to sign and/or be able to load modules
after updates: failure to sign leading to a module being built but unsigned
after a new kernel is installed or after a new DKMS module is installed,
failure to load modules after reboot (usually caused by module being unsigned);
failure to sign due to missing keys, signature key not being automatically
slated for enrollment. All these potential regression scenarios present as
failure to load a DKMS module after a reboot when it should be loaded
successfully.
---
At my last reboot, I was prompted to enable SecureBoot, so I did.
When I booted, however, I noticed that the virtualbox service failed
to start because it couldn't load its kernel module. If I attempt the
same thing, I see that there's an issue with keys:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I do have keys enrolled; `mokutil --list-enrolled` produces
http://paste.ubuntu.com/p/rntTQr5XJV/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
