Linux 4.12 refuses to load self-signed modules under Secure Boot with properly enrolled keys

Bug #1712168 reported by Eric Carvalho
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Seth Forshee

Bug Description

Since version 4.12, Linux refuses to load my self-signed VirtualBox modules.

$ lsb_release -d
Description: Ubuntu Artful Aardvark (development branch)

$ uname -rvm
4.12.0-11-generic #12-Ubuntu SMP Fri Aug 11 12:26:42 UTC 2017 x86_64

$ sudo modprobe -v vboxdrv
insmod /lib/modules/4.12.0-11-generic/misc/vboxdrv.ko
modprobe: ERROR: could not insert 'vboxdrv': Required key not available

I've followed [this guide](https://askubuntu.com/a/768310/65926) to import the key an sign the modules. It worked until kernel 4.11.

The key is properly enrolled:

$ sudo mokutil --test-key .mok/mok-eric-carvalho.der
.mok/mok-eric-carvalho.der is already enrolled

I think this happens because the kernel was built without CONFIG_MODULE_SIG_UEFI:

$ ls -1 /boot/config-*
/boot/config-4.11.0-13-generic
/boot/config-4.12.0-11-generic

$ grep CONFIG_MODULE_SIG_UEFI /boot/config-*
/boot/config-4.11.0-13-generic:CONFIG_MODULE_SIG_UEFI=y

Same problem with kernel 4.12.0-12.13 from the proposed repository.

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.12.0-11-generic 4.12.0-11.12
ProcVersionSignature: Ubuntu 4.12.0-11.12-generic 4.12.5
Uname: Linux 4.12.0-11-generic x86_64
ApportVersion: 2.20.6-0ubuntu6
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC1: carvalho 3077 F.... pulseaudio
 /dev/snd/controlC0: carvalho 3077 F.... pulseaudio
CurrentDesktop: Budgie:GNOME
Date: Mon Aug 21 15:37:56 2017
HibernationDevice: RESUME=UUID=8766d3eb-a19c-403c-829a-ff5fa7878e87
InstallationDate: Installed on 2016-12-15 (249 days ago)
InstallationMedia: Ubuntu 17.04 "Zesty Zapus" - Alpha amd64 (20161214)
MachineType: LENOVO 80JE
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.12.0-11-generic.efi.signed root=UUID=ca49cfac-7b28-4152-bf45-006806f69224 ro quiet splash vt.handoff=7
RelatedPackageVersions:
 linux-restricted-modules-4.12.0-11-generic N/A
 linux-backports-modules-4.12.0-11-generic N/A
 linux-firmware 1.167
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 09/30/2016
dmi.bios.vendor: LENOVO
dmi.bios.version: B0CNA0WW
dmi.board.asset.tag: NO Asset Tag
dmi.board.name: Lancer 4A1
dmi.board.vendor: LENOVO
dmi.board.version: SDK0J40688 WIN
dmi.chassis.asset.tag: NO Asset Tag
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: Lenovo G40-80
dmi.modalias: dmi:bvnLENOVO:bvrB0CNA0WW:bd09/30/2016:svnLENOVO:pn80JE:pvrLenovoG40-80:rvnLENOVO:rnLancer4A1:rvrSDK0J40688WIN:cvnLENOVO:ct10:cvrLenovoG40-80:
dmi.product.family: IDEAPAD
dmi.product.name: 80JE
dmi.product.version: Lenovo G40-80
dmi.sys.vendor: LENOVO

Revision history for this message
Eric Carvalho (eric-carvalho) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
tags: added: kernel-da-key
Seth Forshee (sforshee)
Changed in linux (Ubuntu):
assignee: nobody → Seth Forshee (sforshee)
importance: Medium → High
status: Triaged → In Progress
Revision history for this message
Seth Forshee (sforshee) wrote :

Confirmed the bug in 4.12 and 4.13, applied fix to both artful kernel trees and confirmed that it fixes the issue.

Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.1 KiB)

This bug was fixed in the package linux - 4.12.0-13.14

---------------
linux (4.12.0-13.14) artful; urgency=low

  * linux: 4.12.0-13.14 -proposed tracker (LP: #1714687)

  * vhost guest network randomly drops under stress (kvm) (LP: #1711251)
    - Revert "vhost: cache used event for better performance"

  * EDAC sbridge: Failed to register device with error -22. (LP: #1714112)
    - [Config] CONFIG_EDAC_GHES=n

  * Artful update to v4.12.10 stable release (LP: #1714525)
    - sparc64: remove unnecessary log message
    - bonding: require speed/duplex only for 802.3ad, alb and tlb
    - bonding: ratelimit failed speed/duplex update warning
    - af_key: do not use GFP_KERNEL in atomic contexts
    - dccp: purge write queue in dccp_destroy_sock()
    - dccp: defer ccid_hc_tx_delete() at dismantle time
    - ipv4: fix NULL dereference in free_fib_info_rcu()
    - net_sched/sfq: update hierarchical backlog when drop packet
    - net_sched: remove warning from qdisc_hash_add
    - bpf: fix bpf_trace_printk on 32 bit archs
    - net: igmp: Use ingress interface rather than vrf device
    - openvswitch: fix skb_panic due to the incorrect actions attrlen
    - ptr_ring: use kmalloc_array()
    - ipv4: better IP_MAX_MTU enforcement
    - nfp: fix infinite loop on umapping cleanup
    - tun: handle register_netdevice() failures properly
    - sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
    - tipc: fix use-after-free
    - ipv6: reset fn->rr_ptr when replacing route
    - ipv6: repair fib6 tree in failure case
    - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
    - net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
    - irda: do not leak initialized list.dev to userspace
    - net: sched: fix NULL pointer dereference when action calls some targets
    - net_sched: fix order of queue length updates in qdisc_replace()
    - bpf, verifier: add additional patterns to evaluate_reg_imm_alu
    - bpf: fix mixed signed/unsigned derived min/max value bounds
    - bpf/verifier: fix min/max handling in BPF_SUB
    - Input: trackpoint - add new trackpoint firmware ID
    - Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
    - Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
    - KVM: s390: sthyi: fix sthyi inline assembly
    - KVM: s390: sthyi: fix specification exception detection
    - KVM: x86: simplify handling of PKRU
    - KVM, pkeys: do not use PKRU value in vcpu->arch.guest_fpu.state
    - KVM: x86: block guest protection keys unless the host has them enabled
    - ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
    - ALSA: core: Fix unexpected error at replacing user TLV
    - ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
    - ALSA: firewire: fix NULL pointer dereference when releasing uninitialized
      data of iso-resource
    - ALSA: firewire-motu: destroy stream data surely at failure of card
      initialization
    - ARCv2: SLC: Make sure busy bit is set properly for region ops
    - ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
    - ARCv2: PAE40: set MSB even if !CONFIG_ARC_HAS_...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers