group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1772950] Re: dkms key enrolled in mok, but dkms module fails to load

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1772950@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Feb 2019 16:49:40 -0000
Reply-to: Bug 1772950 <1772950@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package dkms - 2.2.0.3-1.1ubuntu5.14.04.10

---------------
dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium

  * debian/patches/shim_secureboot_support.patch:
    - Move to signing just after module build to ensure it correctly applies
      at kernel update times. (LP: #1772950)
    - Generate a new MOK if there isn't one yet, and use that so sign
      newly-built kernel modules. (LP: #1748983)
  * debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both
    are updated in lock-step since the changes above require a new version of
    update-secureboot-policy to correctly generate the new MOK and enroll it
    in firmware.

 -- Mathieu Trudel-Lapierre <cyphermox@xxxxxxxxxx>  Mon, 28 Jan 2019
11:05:49 -0500

** Changed in: dkms (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1772950

Title:
  dkms key enrolled in mok, but dkms module fails to load

Status in dkms package in Ubuntu:
  Fix Released
Status in dkms source package in Trusty:
  Fix Released
Status in dkms source package in Xenial:
  Fix Committed
Status in dkms source package in Bionic:
  Fix Released

Bug description:
  [Impact]
  All Ubuntu users for whom Secure Boot is enabled.

  [Test cases]
  1) install dkms module (use virtualbox-dkms for example)
  2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 4.15.0-20-generic).
  3) Verify that the generated module for the new kernel (4.15.0-22-generic in this example) is built and signed by verifying that the file in /lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature appended~:

  $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail -n 100
  [...]
  ~Module signature appended~

  4) Reboot
  5) modprobe -v the module.
  It should not respond "Required key not available", and should return with no error.
  6) Verify that dkms does not contain PKCS#7 errors.

  
  [Regression potential]
  Possible regressions involve failure to sign and/or be able to load modules after updates: failure to sign leading to a module being built but unsigned after a new kernel is installed or after a new DKMS module is installed, failure to load modules after reboot (usually caused by module being unsigned); failure to sign due to missing keys, signature key not being automatically slated for enrollment. All these potential regression scenarios present as failure to load a DKMS module after a reboot when it should be loaded successfully.

  ---

  At my last reboot, I was prompted to enable SecureBoot, so I did.

  When I booted, however, I noticed that the virtualbox service failed
  to start because it couldn't load its kernel module.  If I attempt the
  same thing, I see that there's an issue with keys:

  $ sudo modprobe vboxdrv
  modprobe: ERROR: could not insert 'vboxdrv': Required key not available

  I do have keys enrolled; `mokutil --list-enrolled` produces
  http://paste.ubuntu.com/p/rntTQr5XJV/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions