lost wifi, ethernet, docking station with 16.04 kernel signing.

Tom H tomh0665 at gmail.com
Mon Apr 25 17:42:30 UTC 2016 

On Mon, Apr 25, 2016, Petter Adsen <petter at synth.no> wrote:
> On Sun, 24 Apr 2016, Peter Silva <peter at bsqt.homeip.net> wrote:
>>
>> Had been running pre-release versions of 16.04 since December.
>> Everything was working fine, until last week when kernel module
>> signing was added. I need three external kernel modules for my
>> laptop: evdi (external display over USB), MT7630 (wireless), and now
>> they all fail to install with:
>>
>> root at blacklab:/usr/src/evdi-1.0.335# insmod evdi.ko
>> insmod: ERROR: could not insert module evdi.ko: Required key not
>> available root at blacklab:/usr/src/evdi-1.0.335#
>
> I am guessing you are booting with Secure Boot enabled? If so, either
> disable it or generate your own keys and add them to the firmware or
> the MOK (Machine Owner Key) list. You can then sign the modules
> yourself using that key.

The kernel's "MODULE_SIG*" settings are unrelated to SB.

You can choose to require signed kernel modules or not with SB.

You can also choose to require signed kernel modules without SB.

Ubuntu's kernel config has "CONFIG_MODULE_SIG_FORCE is not set"
("CONFIG_MODULE_SIG_FORCE" corresponds to "Require modules to be
validly signed" in "make menuconfig"):

localhost:/boot# grep MODULE_SIG config-4.4.0-21-generic
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

so it doesn't force kernel module signing even though it signs modules
and the kernel's public key's loaded - and therefore available for
checking signatures:

Apr 24 16:02:45 localhost kernel: Loading compiled-in X.509 certificates
Apr 24 16:02:45 localhost kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: fc7c0e9f152f32eca50ea2d9722926e5127af244'

An unsigned module should load, otherwise any app requiring dkms would fail.

On a non-EFI, 16.04 laptop:

- a module that's shipped with the linux-image package is signed:

localhost:/lib/modules/4.4.0-21-generic# hexdump -C
kernel/fs/btrfs/btrfs.ko | tail
00187750  4f 21 60 14 2f d3 0d c8  e1 1b a1 d9 9a d8 d5 d0  |O!`./...........|
00187760  1b d4 63 80 fb 53 3e 43  d3 00 24 1b a7 6f 25 37  |..c..S>C..$..o%7|
00187770  a0 a1 be bc 32 4a d2 c2  3f d0 ba 42 2c 9e 2f 64  |....2J..?..B,./d|
00187780  15 24 e9 cb 18 b3 24 78  a9 fd 9c ac 7f c4 1a 46  |.$....$x.......F|
00187790  14 b6 ed f3 b0 07 08 5b  08 2c 24 0b 9f 9c 12 97  |.......[.,$.....|
001877a0  51 71 f7 1a 8f 63 45 ed  da 3c 44 a0 31 e1 0d cb  |Qq...cE..<D.1...|
001877b0  47 77 2e 2a 5c 00 00 00  02 00 00 00 00 00 00 00  |Gw.*\...........|
001877c0  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module signat|
001877d0  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure appended~.|
001877de

- VirtualBox's module isn't signed:

localhost:/lib/modules/4.4.0-21-generic# hexdump -C
updates/dkms/vboxdrv.ko | tail
000904d0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000904e0  01 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00  |................|
000904f0  00 00 00 00 00 00 00 00  18 3e 04 00 00 00 00 00  |.........>......|
00090500  c0 d2 00 00 00 00 00 00  2c 00 00 00 a1 03 00 00  |........,.......|
00090510  08 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00  |................|
00090520  09 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
00090530  00 00 00 00 00 00 00 00  d8 10 05 00 00 00 00 00  |................|
00090540  f4 ea 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00090550  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00090560

Yet it's loaded, along with other VirtualBox modules, and VirtualBox works fine:

localhost:~# lsmod | grep vbox
vboxpci                24576  0
vboxnetadp             28672  0
vboxnetflt             28672  0
vboxdrv               454656  3 vboxnetadp,vboxnetflt,vboxpci

Going back to the failed insmod. Unless Ubuntu's published
documentation is out of date, this shouldn't happen because even an
unsigned kernel will be loaded with SB active (in Ubuntu).

More information about the ubuntu-users mailing list