Ubuntu
linux package

MODSIGN: Couldn't get UEFI db list

Bug #1743908 reported by Wellington Uemura
68
This bug affects 15 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Kernel is having problem loading or validating certificates. Looking over the internet looks like this is a kernel issue.

Patchs from other distro:
https://bugzilla.redhat.com/show_bug.cgi?id=1497559
- 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
- 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
- 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch

[ 1.203191] Loaded X.509 cert 'Build time autogenerated kernel key: ecdf0c3ef21a8b4ca325a4d1db7d45108ca78734'
[ 1.203352] Couldn't get size: 0x800000000000000e
[ 1.203354] MODSIGN: Couldn't get UEFI db list
[ 1.205030] Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to secondary sys keyring
[ 1.205102] Couldn't get size: 0x800000000000000e
[ 1.205103] MODSIGN: Couldn't get UEFI dbx list

ProblemType: Bug
DistroRelease: Ubuntu 17.10
Package: linux-image-4.13.0-25-generic 4.13.0-25.29
ProcVersionSignature: Ubuntu 4.13.0-25.29-generic 4.13.13
Uname: Linux 4.13.0-25-generic x86_64
ApportVersion: 2.20.7-0ubuntu3.7
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: wellington 1429 F.... pulseaudio
 /dev/snd/pcmC1D3p: wellington 1429 F...m pulseaudio
 /dev/snd/controlC1: wellington 1429 F.... pulseaudio
CurrentDesktop: ubuntu:GNOME
Date: Wed Jan 17 22:37:13 2018
HibernationDevice: RESUME=UUID=192fbe7e-0dbf-47fc-8277-75569f69f16e
InstallationDate: Installed on 2018-01-16 (1 days ago)
InstallationMedia: Ubuntu 17.10 "Artful Aardvark" - Release amd64 (20180105.1)
IwConfig:
 lo no wireless extensions.

 enp7s0 no wireless extensions.
MachineType: Gigabyte Technology Co., Ltd. To be filled by O.E.M.
ProcFB: 0 radeondrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.13.0-25-generic.efi.signed root=UUID=aa7179de-345d-4e48-8bbd-6397120a155a ro amd_iommu=fullflush iommu=pt
RelatedPackageVersions:
 linux-restricted-modules-4.13.0-25-generic N/A
 linux-backports-modules-4.13.0-25-generic N/A
 linux-firmware 1.169.1
RfKill:

SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2015
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: F3
dmi.board.asset.tag: To be filled by O.E.M.
dmi.board.name: 990FXA-UD5 R5
dmi.board.vendor: Gigabyte Technology Co., Ltd.
dmi.board.version: x.x
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: Gigabyte Technology Co., Ltd.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrF3:bd04/01/2015:svnGigabyteTechnologyCo.,Ltd.:pnTobefilledbyO.E.M.:pvrTobefilledbyO.E.M.:rvnGigabyteTechnologyCo.,Ltd.:rn990FXA-UD5R5:rvrx.x:cvnGigabyteTechnologyCo.,Ltd.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.family: To be filled by O.E.M.
dmi.product.name: To be filled by O.E.M.
dmi.product.version: To be filled by O.E.M.
dmi.sys.vendor: Gigabyte Technology Co., Ltd.

Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.15 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15-rc8

Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
tags: added: kernel-da-key
Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

The bug is fixed in the upstream 4.15-rc8, still in the mainline.
Thanks

tags: added: kernel-bug-exists-upstream
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

I'd like to perform a "Reverse" bisect to figure out what commit fixes this bug. We need to identify the last kernel version that had the bug, and the first kernel version that fixed the bug.

Can you test the following kernels and report back:

v4.14-rc1: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14-rc1/
v4.14 final: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.14/
v4.15-rc1: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15-rc1/
v5.15-rc4: http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15-rc4/

You don't have to test every kernel, just up until the first kernel that does not have the bug.

Thanks in advance!

tags: added: performing-bisect
Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

None os this kernels has the bug.

Thank you.

Revision history for this message
spike speigel (frail-knight) wrote :

I'm seeing something slightly different. MokListRT vs dbx list. Is it the same issue?

[ 1.066401] Couldn't get size: 0x800000000000000e
[ 1.066403] MODSIGN: Couldn't get UEFI MokListRT
[ 1.066728] zswap: loaded using pool lzo/zbud

Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

Not in my case.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Does this bug go away if you boot back in to 4.13.0-21?

Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

No, it doesn't.
The kernel was updated to 4.13.0-32-generic, and this still has the bug, I believe the 4.13.0-21 might have it also.

Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Can you see if v4.13 final has the bug:
http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.13/

Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

v4.13 final, all good!

[ 1.485360] Loaded X.509 cert 'Build time autogenerated kernel key: 2977791a6bc138cb597bcddff841bb4e6c0cdbe0'

Fixed.

Revision history for this message
Wellington Uemura (wellingtonuemura) wrote :

Thank you.

Wellington Uemura (wellingtonuemura)
Changed in linux (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
corrado venturini (corradoventu) wrote :

Still having the problem:
06:07:39 kernel: Couldn't get size: 0x800000000000000e
06:07:39 kernel: MODSIGN: Couldn't get UEFI db list
06:07:39 kernel: Couldn't get size: 0x800000000000000e

corrado@corrado-p6-cc-0509:~$ inxi -SCx
System: Host: corrado-p6-cc-0509 Kernel: 4.15.0-22-generic x86_64 bits: 64 compiler: gcc
           v: 7.3.0 Desktop: Gnome 3.28.1 Distro: Ubuntu Cosmic Cuttlefish (development branch)
CPU: Topology: Dual Core model: Intel Core i3-7100 bits: 64 type: MT MCP arch: Skylake
           rev: 9 L2 cache: 3072 KiB
           flags: lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 31296
           Speed: 800 MHz min/max: 800/3900 MHz Core speeds (MHz): 1: 800 2: 802 3: 800 4: 800
corrado@corrado-p6-cc-0509:~$

Revision history for this message
corrado venturini (corradoventu) wrote :

slightly different on a different hardware
07:39:58 kernel: MODSIGN: Couldn't get UEFI db list
07:39:58 kernel: Couldn't get size: 0x800000000000000e

System:
  Host: corrado-HP-p3-cc-0515 Kernel: 4.15.0-22-generic x86_64 bits: 64
  compiler: gcc v: 7.3.0 Desktop: Gnome 3.28.1
  Distro: Ubuntu Cosmic Cuttlefish (development branch)
CPU:
  Topology: Dual Core model: Intel Core i5-4210U bits: 64 type: MT MCP
  arch: Haswell rev: 1 L2 cache: 3072 KiB
  flags: lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx bogomips: 19155
  Speed: 998 MHz min/max: 800/2700 MHz Core speeds (MHz): 1: 905 2: 900
  3: 898 4: 899
corrado@corrado-HP-p3-cc-0515:~$

Revision history for this message
kamiccolo (kamicc) wrote :

Still a thing on 4.15.0-45-generic #48~16.04.1-Ubuntu :|

Revision history for this message
Nebojsa Grujic (opcup) wrote :

This is really a nasty one. I installed a brand new machine, did not have any problems. Then upgraded the graphics to nvidia 1070, and started having this same issue. Disabled the secure boot, problem went away, however, fstab mounted my second drive as home, as I had it before, now problem came back and I have no idea what to do.

Is it possible to get some workaround to disable this security entirely?

Revision history for this message
Kai-Heng Feng (kaihengfeng) wrote :

kamiccolo, Nebojsa Grujic,

Is secure boot enabled?

Revision history for this message
Kamal Pandey (justdogit) wrote :

I am also facing this issue the logs are as follows:

[ 5.325847] Couldn't get size: 0x800000000000000e
[ 5.325850] MODSIGN: Couldn't get UEFI db list
[ 5.325867] Couldn't get size: 0x800000000000000e
[ 5.325868] MODSIGN: Couldn't get UEFI MokListRT
[ 5.327139] zswap: loaded using pool lzo/zbud

My kernel and ubuntu version is:
Linux kk 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

kk
    description: Notebook
    product: 20245 (LENOVO_MT_20245)
    vendor: LENOVO
    version: Lenovo G500s
    serial: 3285914003773
    width: 64 bits
    capabilities: smbios-2.7 dmi-2.7 smp vsyscall32
    configuration: boot=normal chassis=notebook family=IDEAPAD sku=LENOVO_MT_20245 uuid=3FAFF882-37A5-11E3-A363-201A06349678
  *-core
       description: Motherboard
       product: INVALID
       vendor: LENOVO
       physical id: 0
       version: 31900004Std
       serial: CB27477093
       slot: Type2 - Board Chassis Location
     *-firmware
          description: BIOS
          vendor: LENOVO
          physical id: 0
          version: 7BCN36WW(V2.02)
          date: 08/28/2013
          size: 128KiB
          capacity: 4544KiB
          capabilities: pci upgrade shadowing cdboot bootselect edd int13floppynec int13floppytoshiba int13floppy360 int13floppy1200 int13floppy720 int13floppy2880 int9keyboard int10video acpi usb biosbootspecification uefi
     *-cpu
          description: CPU
          product: Intel(R) Core(TM) i3-3110M CPU @ 2.40GHz
          vendor: Intel Corp.
          physical id: 4
          bus info: cpu@0
          version: Intel(R) Core(TM) i3-3110M CPU @ 2.40GHz
          serial: To Be Filled By O.E.M.
          slot: U3E1
          size: 2294MHz
          capacity: 2400MHz
          width: 64 bits
          clock: 100MHz
          capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer xsave avx f16c lahf_lm cpuid_fault epb pti ssbd ibrs ibpb stibp tpr_shadow vnmi flexpriority ept vpid fsgsbase smep erms xsaveopt dtherm arat pln pts flush_l1d cpufreq
          configuration: cores=2 enabledcores=2 threads=4

any workaround will help too

Revision history for this message
Kamal Pandey (justdogit) wrote :

after resetting the bios to factory reset I was able to avoid the following error :

Couldn't get size: 0x800000000000000e
MODSIGN: Couldn't get UEFI db list

But I still got the following error:
[ 5.354582] Couldn't get size: 0x800000000000000e
[ 5.354610] MODSIGN: Couldn't get UEFI MokListRT

the setting which got changed is as follows
In the security tab of the BIOS secure boot mode --> custom was changed to
secure boot mode --> standard

Revision history for this message
spike speigel (frail-knight) wrote :

Present on 19.04 Disco Dingo with kernel:

Linux 5.0.0-11-generic #12-Ubuntu SMP Thu Apr 11 16:41:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Errors in dmesg show:

[ 1.116542] Loading compiled-in X.509 certificates
[ 1.117339] Loaded X.509 cert 'Build time autogenerated kernel key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
[ 1.117966] Couldn't get size: 0x800000000000000e
[ 1.117968] MODSIGN: Couldn't get UEFI db list
[ 1.118307] Couldn't get size: 0x800000000000000e
[ 1.118307] MODSIGN: Couldn't get UEFI MokListRT
[ 1.118661] Couldn't get size: 0x800000000000000e
[ 1.118661] MODSIGN: Couldn't get UEFI dbx list
[ 1.118685] zswap: loaded using pool lzo/zbud

Also seeing this further down:

[ 5.538136] cfg80211: Loaded X.509 cert 'sforshee: xxxxxxxxxxxxxxxxxxxx'
[ 5.546340] PKCS#7 signature not signed with a trusted key
[ 5.546348] razerkbd: loading out-of-tree module taints kernel.
[ 5.546563] PKCS#7 signature not signed with a trusted key
[ 5.553517] PKCS#7 signature not signed with a trusted key
[ 5.612458] PKCS#7 signature not signed with a trusted key
[ 5.612471] nvidia: module license 'NVIDIA' taints kernel.
[ 5.612472] Disabling lock debugging due to kernel taint

and:

[ 5.721288] iwlwifi 0000:03:00.0: base HW address: blah blah blah
[ 5.725326] PKCS#7 signature not signed with a trusted key
[ 5.733135] NVRM: loading NVIDIA UNIX x86_64 Kernel Module 418.56 Fri Mar 15 12:59:26 CDT 2019
[ 5.738319] PKCS#7 signature not signed with a trusted key
[ 5.738401] PKCS#7 signature not signed with a trusted key
[ 5.739168] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms 418.56 Fri Mar 15 12:32:40 CDT 2019
[ 5.739843] PKCS#7 signature not signed with a trusted key
[ 5.740612] PKCS#7 signature not signed with a trusted key
[ 5.740786] [drm] [nvidia-drm] [GPU ID 0x00000100] Loading driver
[ 5.740787] [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:01:00.0 on minor 0
[ 5.746905] PKCS#7 signature not signed with a trusted key
[ 5.748945] nvidia-uvm: Loaded the UVM driver in 8 mode, major device number 509

and:

[ 12.040933] PKCS#7 signature not signed with a trusted key
[ 12.046672] vboxdrv: Found 12 processor cores
[ 12.064917] vboxdrv: TSC mode is Invariant, tentative frequency 3696000093 Hz
[ 12.064917] vboxdrv: Successfully loaded version 6.0.4_Ubuntu (interface 0x00290008)
[ 12.068244] PKCS#7 signature not signed with a trusted key
[ 12.068449] VBoxNetFlt: Successfully started.
[ 12.071204] PKCS#7 signature not signed with a trusted key
[ 12.071325] VBoxNetAdp: Successfully started.
[ 12.074109] PKCS#7 signature not signed with a trusted key
[ 12.074463] VBoxPciLinuxInit

Revision history for this message
Robert M. Muncrief (rmuncrief-9) wrote :

This bug is marked as "Fix Released" but after years of running Manjaro I decided to give Ubuntu a try again with Disco Dingo 19.04 and it was simply impossible because it still exists. I could get past the initial error, and Ubuntu thought it was installed, but trying to boot just output the error message on an otherwise black screen.

The message is the same as everyone else is getting:
Couldn't get size: 0x800000000000000e
MODSIGN: Couldn't get UEFI db list
Couldn't get size: 0x800000000000000e

So unfortunately I just had to reinstall Manjaro so I could get back to work. By the way this is the reason I left Ubuntu in the first place. If you want to run a years old OS with years old software you can use an LTS release that's fairly stable. But if you want a current OS and current software interim Ubuntu releases are most often disasters, right up until it's life cycle is over.

And then the nightmare begins all over again.

But if Ubuntu is ever able to maintain a distribution that's three months or less behind mainline I'll give it a try again. It would be nice to use .deb packages without translation. It's a shame, and I really don't understand. Manjaro and other rolling releases have nowhere near the problems Ubuntu has keeping up to date. Their only downside is that for the most part no one supports them, so you have to do a lot of customization and compiling of third party software.

Anyway, good luck guys and gals. Despite my complaining I wish the best for Ubuntu.

Revision history for this message
Jack Cook (twosheds) wrote :

On my Disco Dingo see this also, though it doesn't seem to have any negative effect.

kernel: 5.0.0-16-generic
secureboot: Secure boot could not be determined (mode 0)

[ 2.243394] Loaded X.509 cert 'Build time autogenerated kernel key: xxxx...'
[ 2.267416] Couldn't get size: 0x800000000000000e
[ 2.267418] MODSIGN: Couldn't get UEFI db list
[ 2.279452] Couldn't get size: 0x800000000000000e
[ 2.279454] MODSIGN: Couldn't get UEFI MokListRT
[ 2.291440] Couldn't get size: 0x800000000000000e
[ 2.291443] MODSIGN: Couldn't get UEFI dbx list
[ 2.291467] zswap: loaded using pool lzo/zbud

motherboard : Asus Crosshair V formula - not capable of secure boot
cpu : FX8320

This shows up also in openSUSE Tumbleweed with the 5 series kernel. Not present in Fedora.

Brad Figg (brad-figg)
tags: added: cscc
Revision history for this message
SunBear (sunbear-c22) wrote :

Error "Couldn't get size: 0x800000000000000e" has resurfaced despite of the released fix. I found this error in latest Ubuntu 18.04 install. Release fix needs to be re-evaluated.

$ dmesg
.....
[ 0.933031] Loading compiled-in X.509 certificates
[ 0.934003] Loaded X.509 cert 'Build time autogenerated kernel key: xxxxx...'
[ 0.936201] Loaded UEFI:db cert 'ASUSTeK MotherBoard SW Key Certificate: xxxxx...' linked to secondary sys keyring
[ 0.936320] Loaded UEFI:db cert 'ASUSTeK Notebook SW Key Certificate: xxxxx...' linked to secondary sys keyring
[ 0.936331] Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: xxxxx...' linked to secondary sys keyring
[ 0.936340] Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: xxxxx...' linked to secondary sys keyring
[ 0.936461] Loaded UEFI:db cert 'Canonical Ltd. Master Certificate Authority: xxxxx...' linked to secondary sys keyring
[ 0.936838] Couldn't get size: 0x800000000000000e
[ 0.936839] MODSIGN: Couldn't get UEFI MokListRT
....

$ uname -a
Linux Machine 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

$ dpkg -l | grep linux-generic-hwe-
ii linux-generic-hwe-18.04 5.0.0.25.82 amd64 Complete Generic Linux kernel and headers

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

$ efibootmgr
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001
Boot0000* ubuntu
Boot0001* Hard Drive

Fast Boot -- Disabled
Secure Boot -- Disabled
CSM -- Disabled

Revision history for this message
Josep Pujadas-Jubany (jpujades) wrote :

Present on 18.04.3 and 16.04.6 (64 bit, LTS with latest updates)

-----------------------------------------------------------------------------------------------------

$ dmesg | grep Couldn
[ 2.215723] Couldn't get size: 0x800000000000000e
[ 2.215759] MODSIGN: Couldn't get UEFI MokListRT

$lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.3 LTS
Release: 18.04
Codename: bionic

$ uname -a
Linux ubuntu-bellera 5.0.0-27-generic #28~18.04.1-Ubuntu SMP Thu Aug 22 03:00:32 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Acer TravelMate B118-M (TMB118-M-C4AL manufactured date 2019/05/23)

-----------------------------------------------------------------------------------------------------

$ dmesg | grep Couldn
[ 2.305514] Couldn't get size: 0x800000000000000e
[ 2.305575] MODSIGN: Couldn't get UEFI MokListRT

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

$ uname -a
Linux ubuntu-bellera 4.15.0-62-generic #69~16.04.1-Ubuntu SMP Fri Sep 6 02:43:35 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Acer TravelMate B117-M (TMB117-M-C661 manufactured date 2016/07/18)

Revision history for this message
Josep Pujadas-Jubany (jpujades) wrote :

Oops! Sorry!

Forgot to say that we are using Secure Boot Disabled on both computers (Acer TravelMate B117-M & B118-M).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.