dkms key enrolled in mok, but dkms module fails to load
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dkms (Ubuntu) |
Fix Released
|
Critical
|
Mathieu Trudel-Lapierre | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
All Ubuntu users for whom Secure Boot is enabled.
[Test cases]
1) install dkms module (use virtualbox-dkms for example)
2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 4.15.0-20-generic).
3) Verify that the generated module for the new kernel (4.15.0-22-generic in this example) is built and signed by verifying that the file in /lib/modules/
$ hexdump -Cv /lib/modules/
[...]
~Module signature appended~
4) Reboot
5) modprobe -v the module.
It should not respond "Required key not available", and should return with no error.
6) Verify that dkms does not contain PKCS#7 errors.
[Regression potential]
Possible regressions involve failure to sign and/or be able to load modules after updates: failure to sign leading to a module being built but unsigned after a new kernel is installed or after a new DKMS module is installed, failure to load modules after reboot (usually caused by module being unsigned); failure to sign due to missing keys, signature key not being automatically slated for enrollment. All these potential regression scenarios present as failure to load a DKMS module after a reboot when it should be loaded successfully.
---
At my last reboot, I was prompted to enable SecureBoot, so I did.
When I booted, however, I noticed that the virtualbox service failed to start because it couldn't load its kernel module. If I attempt the same thing, I see that there's an issue with keys:
$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available
I do have keys enrolled; `mokutil --list-enrolled` produces http://
Changed in dkms (Ubuntu): | |
assignee: | nobody → Mathieu Trudel-Lapierre (cyphermox) |
description: | updated |
tags: | added: id-5b0593ddfc4d344a05f862a7 |
tags: | added: id-5b05a00120e543dc26a03df7 |
term.log for installation of my current kernel: https:/ /paste. ubuntu. com/p/3TVVFpFSN X/
term.log from the last time I see virtualbox DKMS stuff happening: https:/ /paste. ubuntu. com/p/7f7p6t48p n/