No wifi after installation - does not work with secure boot enabled

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
http://iso.qa.ubuntu.com/qatracker/reports/bugs/1899678

Disabling secure boot allows network-manager to display the wifi connections.

Installing WITHOUT secure boot also allows network-manager to display the wifi connections.

So currently bcmwl-kernel-source will only work with non-secure boot

Can you open bug report against ubiquity with like $ ubuntu-bug ubiquity ?

that would collect all the installer logs, which will help to investigate this.

Or can you please attach /var/log/installer as a tarball? do check for any sensitive info there, or feel free to mark this bug report private.

I don't believe we sign broadcom drivers; thus one should require to enroll into MOK...... i wonder if MOK enrollment is working or not.

btw, what is the state of MOK? i.e.

$ sudo mokutil --list-enrolled

$ ls /var/lib/shim-signed
$ ls /var/lib/shim-signed/mok/

Hi Dimitri,

  the last time I tested secure boot installation was at 20.04 on this particular laptop. All was ok at that time.

enc are the installer tarball and the mok results. TIA

This may be caused by https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1869187.

Oct 20 17:23:15 ubuntu-budgie ubiquity: /sbin/update-secureboot-policy: 44: 3: Bad file descriptor#015
Oct 20 17:23:15 ubuntu-budgie ubiquity: Done.#015

looks like when 3rd party drivers box is not ticked (and mok enrolment pin not configured), and broadcom driver is attempted to be installed, and tries to configure update-secureboot-policy, yet it can't cause debconf prompts are not working correctly.

So i think we should still fix for packages to do debconf prompts during live/target session install correctly.

Yeah, fossfreedom, can you tell us what you ticked on the 'install third party drivers' page?

I think the second part (apt install not showing the prompt on next boot) is fixed with shim-signed 1.45 as indicated by Andy in comment #8.

But I'm not quite sure about your initial part where the installer didn't do the same. I can make that happen if I tick to install proprietary drivers and then untick "Configure secure boot". But that's to be expected. If I tick both and fill in a passphrase, then it works correctly and I'm prompted to enroll the key after completing the installation and rebooting.

Correct - I ticked the third party checkbox - I needed to-do that so
that I could then enter the secure boot password.

On Wed, 21 Oct 2020 at 12:40, Iain Lane <email address hidden> wrote:
>
> I think the second part (apt install not showing the prompt on next
> boot) is fixed with shim-signed 1.45 as indicated by Andy in comment #8.
>
> But I'm not quite sure about your initial part where the installer
> didn't do the same. I can make that happen if I tick to install
> proprietary drivers and then untick "Configure secure boot". But that's
> to be expected. If I tick both and fill in a passphrase, then it works
> correctly and I'm prompted to enroll the key after completing the
> installation and rebooting.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1899678
>
> Title:
> No wifi after installation - does not work with secure boot enabled
>
> Status in bcmwl package in Ubuntu:
> New
> Status in dkms package in Ubuntu:
> New
> Status in shim-signed package in Ubuntu:
> New
> Status in ubiquity package in Ubuntu:
> New
>
> Bug description:
> After installation I noted that my broadcom wifi was not available.
> This is a regression from 20.04 where installation automatically
> installed the broadcom driver.
>
> So I tried to force the installation again - see trace below.
>
> The dialog message to enter the secure password appeared - however on
> reboot a confirmation to change the MOK state was not seen - the
> distro booted straight in.
>
> sudo apt install --reinstall bcmwl-kernel-source
> [sudo] password for dad:
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> 0 to upgrade, 0 to newly install, 1 reinstalled, 0 to remove and 0 not to upgrade.
> Need to get 1,546 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> Get:1 http://gb.archive.ubuntu.com/ubuntu groovy/restricted amd64 bcmwl-kernel-source amd64 6.30.223.271+bdcom-0ubuntu7 [1,546 kB]
> Fetched 1,546 kB in 0s (5,232 kB/s)
> (Reading database ... 202371 files and directories currently installed.)
> Preparing to unpack .../bcmwl-kernel-source_6.30.223.271+bdcom-0ubuntu7_amd64.deb ...
> Removing all DKMS Modules
> Done.
> Unpacking bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) over (6.30.223.271+bdcom-0ubuntu7) ...
> Setting up bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) ...
> Loading new bcmwl-6.30.223.271+bdcom DKMS files...
> Building for 5.8.0-22-generic
> Building for architecture x86_64
> Building initial module for 5.8.0-22-generic
> Done.
>
> wl.ko:
> Running module version sanity check.
> - Original module
> - No original module exists within this kernel
> - Installation
> - Installing to /lib/modules/5.8.0-22-generic/updates/dkms/
>
> depmod....
>
> DKMS: install completed.
> modprobe: ERROR: could not insert 'wl': Operation not permitted
> update-initramfs: deferring update (trigger activated)
> Processing triggers for initramfs-tools (0.137ubuntu12) ...
> update-initramfs: Generating /boot/initrd.img-5....

Just to say - after installation - I was prompted on reboot to enter
my MOK password. So entering the password was accepted and then an
auto-boot took me to the normal login manager - and subsequent login.

On Wed, 21 Oct 2020 at 13:05, David Mohammed <email address hidden> wrote:
>
> Correct - I ticked the third party checkbox - I needed to-do that so
> that I could then enter the secure boot password.
>
> On Wed, 21 Oct 2020 at 12:40, Iain Lane <email address hidden> wrote:
> >
> > I think the second part (apt install not showing the prompt on next
> > boot) is fixed with shim-signed 1.45 as indicated by Andy in comment #8.
> >
> > But I'm not quite sure about your initial part where the installer
> > didn't do the same. I can make that happen if I tick to install
> > proprietary drivers and then untick "Configure secure boot". But that's
> > to be expected. If I tick both and fill in a passphrase, then it works
> > correctly and I'm prompted to enroll the key after completing the
> > installation and rebooting.
> >
> > --
> > You received this bug notification because you are subscribed to the bug
> > report.
> > https://bugs.launchpad.net/bugs/1899678
> >
> > Title:
> > No wifi after installation - does not work with secure boot enabled
> >
> > Status in bcmwl package in Ubuntu:
> > New
> > Status in dkms package in Ubuntu:
> > New
> > Status in shim-signed package in Ubuntu:
> > New
> > Status in ubiquity package in Ubuntu:
> > New
> >
> > Bug description:
> > After installation I noted that my broadcom wifi was not available.
> > This is a regression from 20.04 where installation automatically
> > installed the broadcom driver.
> >
> > So I tried to force the installation again - see trace below.
> >
> > The dialog message to enter the secure password appeared - however on
> > reboot a confirmation to change the MOK state was not seen - the
> > distro booted straight in.
> >
> > sudo apt install --reinstall bcmwl-kernel-source
> > [sudo] password for dad:
> > Reading package lists... Done
> > Building dependency tree
> > Reading state information... Done
> > 0 to upgrade, 0 to newly install, 1 reinstalled, 0 to remove and 0 not to upgrade.
> > Need to get 1,546 kB of archives.
> > After this operation, 0 B of additional disk space will be used.
> > Get:1 http://gb.archive.ubuntu.com/ubuntu groovy/restricted amd64 bcmwl-kernel-source amd64 6.30.223.271+bdcom-0ubuntu7 [1,546 kB]
> > Fetched 1,546 kB in 0s (5,232 kB/s)
> > (Reading database ... 202371 files and directories currently installed.)
> > Preparing to unpack .../bcmwl-kernel-source_6.30.223.271+bdcom-0ubuntu7_amd64.deb ...
> > Removing all DKMS Modules
> > Done.
> > Unpacking bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) over (6.30.223.271+bdcom-0ubuntu7) ...
> > Setting up bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) ...
> > Loading new bcmwl-6.30.223.271+bdcom DKMS files...
> > Building for 5.8.0-22-generic
> > Building for architecture x86_64
> > Building initial module for 5.8.0-22-generic
> > Done.
> >
> > wl.ko:
> > Running module version sanity check.
> > - Original module
> > ...

New shim-signed is now on the latest images (20201021).

I'm still not clear what happened when enabling Broadcom from the installer since it all looks fine to me. Perhaps you could try and let us know what doesn't work with detailed steps to reproduce? (but hopefully it does work)

'fraid shim-signed with the new 20201021 ISO doesn't do the trick.

I've also tried to delete all the existing mok keys and do a clean install

so boot and use the "Install Ubuntu Budgie" option. Chose UK and London. Selected 3rd party checkbox and entered "password" twice for the secure password

After rebooting - the MOK enrollment came up - so i chose the option to enrol the key and entered "password" when prompted.

I've collected the /var/log/installer logs and the latest mok logs as above. See the v2 logs attached.

What does dmesg show on the installed system regarding loading of the bcmwl module?

oddly I don't see anything - see dmesg.txt

However software-properties-gtk says its in use (see software-properties-gtk.png)

and what happens (in dmesg and stdout/stderr) when you try to manually load the module with 'sudo modprobe bcmwl'?

ok - just done a fresh entire disk install whilst testing the .2 ISO.

See attached modprobe.txt (for the modprobe - I think you meant 'wl' so I did that as well.)

I followed up by connecting to the network (RJ45) and reinstalling bcmwl-kernel-source

I saw the same wl message as per modprobe.

On reboot - I was prompted for the MOK key - so enrolled that. After reboot and login, the wifi networks are now available.

So that's a little different now from the initial report - I'm guessing shim-signed as improved matters - but not whilst installing.

If you are trying to do the modprobe during the live session, it is expected that this will not succeed. It's only after MOK enrollment that these locally-signed modules will be allowed to be loaded by the kernel under SecureBoot.

If the modprobe works post-reboot and post-MOK-enrollment, then this is working as required and I believe we can close the bug report.

To clarify - the modprobe was not a live-session - this was after a
full disk install.

So - I MOK enrolled after the ubiquity install - no wifi on first
logon. Modprobe wl gave the not permitted error.

I then manually connected and force a reinstall of bcmwl-kernel-source
and subsequently on boot another MOK enroll was requested. It was
only then that Wifi was available.

On Wed, 21 Oct 2020 at 22:30, Steve Langasek <email address hidden> wrote:
>
> If you are trying to do the modprobe during the live session, it is
> expected that this will not succeed. It's only after MOK enrollment
> that these locally-signed modules will be allowed to be loaded by the
> kernel under SecureBoot.
>
> If the modprobe works post-reboot and post-MOK-enrollment, then this is
> working as required and I believe we can close the bug report.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1899678
>
> Title:
> No wifi after installation - does not work with secure boot enabled
>
> Status in bcmwl package in Ubuntu:
> New
> Status in dkms package in Ubuntu:
> New
> Status in shim-signed package in Ubuntu:
> New
> Status in ubiquity package in Ubuntu:
> New
>
> Bug description:
> After installation I noted that my broadcom wifi was not available.
> This is a regression from 20.04 where installation automatically
> installed the broadcom driver.
>
> So I tried to force the installation again - see trace below.
>
> The dialog message to enter the secure password appeared - however on
> reboot a confirmation to change the MOK state was not seen - the
> distro booted straight in.
>
> sudo apt install --reinstall bcmwl-kernel-source
> [sudo] password for dad:
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> 0 to upgrade, 0 to newly install, 1 reinstalled, 0 to remove and 0 not to upgrade.
> Need to get 1,546 kB of archives.
> After this operation, 0 B of additional disk space will be used.
> Get:1 http://gb.archive.ubuntu.com/ubuntu groovy/restricted amd64 bcmwl-kernel-source amd64 6.30.223.271+bdcom-0ubuntu7 [1,546 kB]
> Fetched 1,546 kB in 0s (5,232 kB/s)
> (Reading database ... 202371 files and directories currently installed.)
> Preparing to unpack .../bcmwl-kernel-source_6.30.223.271+bdcom-0ubuntu7_amd64.deb ...
> Removing all DKMS Modules
> Done.
> Unpacking bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) over (6.30.223.271+bdcom-0ubuntu7) ...
> Setting up bcmwl-kernel-source (6.30.223.271+bdcom-0ubuntu7) ...
> Loading new bcmwl-6.30.223.271+bdcom DKMS files...
> Building for 5.8.0-22-generic
> Building for architecture x86_64
> Building initial module for 5.8.0-22-generic
> Done.
>
> wl.ko:
> Running module version sanity check.
> - Original module
> - No original module exists within this kernel
> - Installation
> - Installing to /lib/modules/5.8.0-22-generic/updates/dkms/
>
> depmod....
>
> DKMS: install completed.
> modprobe: ERROR: could not insert 'wl': Operation not permitted
> update-initramfs: deferring update (trigger activated...

What exact commands did you run to force the reinstall bcmwl-kernel-source? Having MOK generated on ubiquity install, and again after a reinstall of bcmwl-kernel-source, is concerning; unless you purged quite a few packages, the MOK should persist.

Other things to check:

 - that after install, a 'modinfo wl' shows it's signed (sig_key, signature, etc)
 - that the sig_key: field in the 'modinfo wl' output matches one of the keys in the output of: mokutil --list-enrolled | sed -n -e'/X509v3 Subject Key Identifier:/,/X509v3 Authority Key Identifier:/ { /:..:/p; }'

The full terminal session is in modprobe.txt but in summary the bcmwl-kernel-source reinstall was simply:

    apt --reinstall install bcmwl-kernel-source

This is a full ISO installation - no extra packages added/nor removed

modinfo wl returns a sig_key signature

The output of the mokutil sed is

dad@dad-HP-Notebook:~$ mokutil --list-enrolled | sed -n -e'/X509v3 Subject Key Identifier:/,/X509v3 Authority Key Identifier:/ { /:..:/p; }'
                7F:BE:DE:09:14:7B:0F:BF:30:0C:8E:50:5C:FF:5F:CE:A2:01:95:67
                BD:AA:86:36:DB:8B:F4:C4:86:12:E4:98:B7:36:03:9E:CD:CB:21:E5
                E8:19:BC:A5:04:AC:51:A2:BC:51:A1:FC:E2:25:FD:69:3F:A6:E6:76
                DF:3B:45:81:83:E2:CD:8F:7E:62:D7:F6:01:6C:76:5A:52:E4:ED:47
                E7:BA:5F:11:7D:D8:E2:A9:D1:48:57:C1:31:2F:2C:78:99:14:B2:B0
                6F:39:87:A1:71:09:A1:F9:6F:81:79:E5:31:5C:0B:24:0A:08:60:05
                2F:08:F0:19:48:E3:1B:19:3E:7A:35:22:A4:48:33:B5:D8:EE:44:B8
                A0:1E:E8:4E:9B:37:AC:E4:07:96:1C:C4:68:C5:90:94:47:87:84:69
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
dad@dad-HP-Notebook:~$

On Thu, Oct 22, 2020 at 08:35:48AM -0000, fossfreedom wrote:
> modinfo wl returns a sig_key signature

Ok, but is that value also in the output of mokutil --list-enrolled? You
didn't say.

Ok. It's been a long weekend after the release...

I dont see and lines on the sed output that match the modinfo wl.

Double checking dmesg the last lines say

Lockdown: modprobe: unsigned module loading is restricted; see man kernel_lockdown.7

As a confirmation that the iso install was ok I reinstalled both with legacy mode and efi with non secure boot enabled and both times the bcmwl wifi was ok after installation and lockdown.

So I dont really understand why ubiquity didn't sign the wl module.