dkms key enrolled in mok, but dkms module fails to load

Bug #1772950 reported by Dan Watkins on 2018-05-23
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkms (Ubuntu)
Critical
Mathieu Trudel-Lapierre
Bionic
Undecided
Unassigned

Bug Description

[Impact]
All Ubuntu users for whom Secure Boot is enabled.

[Test cases]
1) install dkms module (use virtualbox-dkms for example)
2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 4.15.0-20-generic).
3) Verify that the generated module for the new kernel (4.15.0-22-generic in this example) is built and signed by verifying that the file in /lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature appended~:

$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail -n 100
[...]
~Module signature appended~

4) Reboot
5) modprobe -v the module.
It should not respond "Required key not available", and should return with no error.
6) Verify that dkms does not contain PKCS#7 errors.

[Regression potential]
Possible regressions involve failure to sign and/or be able to load modules after updates: failure to sign leading to a module being built but unsigned after a new kernel is installed or after a new DKMS module is installed, failure to load modules after reboot (usually caused by module being unsigned); failure to sign due to missing keys, signature key not being automatically slated for enrollment. All these potential regression scenarios present as failure to load a DKMS module after a reboot when it should be loaded successfully.

---

At my last reboot, I was prompted to enable SecureBoot, so I did.

When I booted, however, I noticed that the virtualbox service failed to start because it couldn't load its kernel module. If I attempt the same thing, I see that there's an issue with keys:

$ sudo modprobe vboxdrv
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

I do have keys enrolled; `mokutil --list-enrolled` produces http://paste.ubuntu.com/p/rntTQr5XJV/

Dan Watkins (daniel-thewatkins) wrote :

term.log for installation of my current kernel: https://paste.ubuntu.com/p/3TVVFpFSNX/

term.log from the last time I see virtualbox DKMS stuff happening: https://paste.ubuntu.com/p/7f7p6t48pn/

Steve Langasek (vorlon) wrote :

The logs show the new kernel being installed, but show no dkms module building at time of kernel install. That seems strange to me. We should figure out what generated /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko and when and why it's not correctly signed.

Changed in dkms (Ubuntu):
status: New → Incomplete
Steve Langasek (vorlon) wrote :

Based on timestamp info provided out of band, /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko was generated as part of the kernel install via /etc/kernel/postinst.d/dkms, despite the lack of verbosity.

Changed in dkms (Ubuntu):
status: Incomplete → New
importance: Undecided → High
Steve Langasek (vorlon) wrote :

The dkms package's shim integration only happens in /usr/lib/dkms/common.postinst. It appears this code is only triggered on installation of a dkms package; this code path is not used as part of the kernel postinst hook when building modules for a newly-installed kernel - that hook only calls /usr/lib/dkms/dkms_autoinstaller .

Marking this critical, since this means users will lose their dkms modules on kernel upgrade.

Changed in dkms (Ubuntu):
status: New → Triaged
importance: High → Critical
Dan Watkins (daniel-thewatkins) wrote :

I can confirm that the new module isn't signed at all:

$ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail -n 100 | pastebinit
http://paste.ubuntu.com/p/BFSg9DsqR8/

Contrast with a previous kernel that was installed when virtualbox was last upgraded:

$ hexdump -Cv /lib/modules/4.15.0-15-generic/updates/dkms/vboxdrv.ko | tail -n 100 | pastebinit
http://paste.ubuntu.com/p/W8WyVTd2zc/

Steve Langasek (vorlon) on 2018-05-23
Changed in dkms (Ubuntu):
assignee: nobody → Mathieu Trudel-Lapierre (cyphermox)
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.3-3ubuntu10

---------------
dkms (2.3-3ubuntu10) cosmic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: move sign
    code to dkms script itself, so it also applies on kernel upgrades.
    (LP: #1772950)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 23 May 2018 13:15:53 -0400

Changed in dkms (Ubuntu):
status: Triaged → Fix Released

Hello Dan, or anyone else affected,

Accepted dkms into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.3-3ubuntu9.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in dkms (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
tags: added: id-5b0593ddfc4d344a05f862a7
tags: added: id-5b05a00120e543dc26a03df7

Verification-done on bionic:

ii dkms 2.3-3ubuntu9.1 all Dynamic Kernel Module Support Framework
ii virtualbox-dkms 5.2.10-dfsg-6 all x86 virtualization solution - kernel mod

I have verified that with the old dkms, kernel upgrades lead to an unsigned vboxdrv module; and with the new dkms, kernel upgrades do have signed modules that load correctly with SecureBoot enabled.

tags: added: verification-done-bionic
removed: verification-needed verification-needed-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dkms - 2.3-3ubuntu9.1

---------------
dkms (2.3-3ubuntu9.1) bionic; urgency=medium

  * 0009-Add-support-for-UEFI-Secure-Boot-validation-toggling.patch: move sign
    code to dkms script itself, so it also applies on kernel upgrades.
    (LP: #1772950)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 23 May 2018 13:15:53 -0400

Changed in dkms (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for dkms has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers