lost wifi, ethernet, docking station with 16.04 kernel signing.

Peter Silva peter at bsqt.homeip.net
Mon Apr 25 23:26:04 UTC 2016 

I boot 4.4.0-18 and all the modules insert just fine.
4.4.0-19 and later I get the error message.
I don't build my kernel, it's just stock ubuntu.


On Mon, Apr 25, 2016 at 1:42 PM, Tom H <tomh0665 at gmail.com> wrote:

> On Mon, Apr 25, 2016, Petter Adsen <petter at synth.no> wrote:
> > On Sun, 24 Apr 2016, Peter Silva <peter at bsqt.homeip.net> wrote:
> >>
> >> Had been running pre-release versions of 16.04 since December.
> >> Everything was working fine, until last week when kernel module
> >> signing was added. I need three external kernel modules for my
> >> laptop: evdi (external display over USB), MT7630 (wireless), and now
> >> they all fail to install with:
> >>
> >> root at blacklab:/usr/src/evdi-1.0.335# insmod evdi.ko
> >> insmod: ERROR: could not insert module evdi.ko: Required key not
> >> available root at blacklab:/usr/src/evdi-1.0.335#
> >
> > I am guessing you are booting with Secure Boot enabled? If so, either
> > disable it or generate your own keys and add them to the firmware or
> > the MOK (Machine Owner Key) list. You can then sign the modules
> > yourself using that key.
>
> The kernel's "MODULE_SIG*" settings are unrelated to SB.
>
> You can choose to require signed kernel modules or not with SB.
>
> You can also choose to require signed kernel modules without SB.
>
> Ubuntu's kernel config has "CONFIG_MODULE_SIG_FORCE is not set"
> ("CONFIG_MODULE_SIG_FORCE" corresponds to "Require modules to be
> validly signed" in "make menuconfig"):
>
> localhost:/boot# grep MODULE_SIG config-4.4.0-21-generic
> CONFIG_MODULE_SIG=y
> # CONFIG_MODULE_SIG_FORCE is not set
> CONFIG_MODULE_SIG_ALL=y
> # CONFIG_MODULE_SIG_SHA1 is not set
> # CONFIG_MODULE_SIG_SHA224 is not set
> # CONFIG_MODULE_SIG_SHA256 is not set
> # CONFIG_MODULE_SIG_SHA384 is not set
> CONFIG_MODULE_SIG_SHA512=y
> CONFIG_MODULE_SIG_HASH="sha512"
> CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
>
> so it doesn't force kernel module signing even though it signs modules
> and the kernel's public key's loaded - and therefore available for
> checking signatures:
>
> Apr 24 16:02:45 localhost kernel: Loading compiled-in X.509 certificates
> Apr 24 16:02:45 localhost kernel: Loaded X.509 cert 'Build time
> autogenerated kernel key: fc7c0e9f152f32eca50ea2d9722926e5127af244'
>
> An unsigned module should load, otherwise any app requiring dkms would
> fail.
>
> On a non-EFI, 16.04 laptop:
>
> - a module that's shipped with the linux-image package is signed:
>
> localhost:/lib/modules/4.4.0-21-generic# hexdump -C
> kernel/fs/btrfs/btrfs.ko | tail
> 00187750  4f 21 60 14 2f d3 0d c8  e1 1b a1 d9 9a d8 d5 d0
> |O!`./...........|
> 00187760  1b d4 63 80 fb 53 3e 43  d3 00 24 1b a7 6f 25 37
> |..c..S>C..$..o%7|
> 00187770  a0 a1 be bc 32 4a d2 c2  3f d0 ba 42 2c 9e 2f 64
> |....2J..?..B,./d|
> 00187780  15 24 e9 cb 18 b3 24 78  a9 fd 9c ac 7f c4 1a 46
> |.$....$x.......F|
> 00187790  14 b6 ed f3 b0 07 08 5b  08 2c 24 0b 9f 9c 12 97
> |.......[.,$.....|
> 001877a0  51 71 f7 1a 8f 63 45 ed  da 3c 44 a0 31 e1 0d cb
> |Qq...cE..<D.1...|
> 001877b0  47 77 2e 2a 5c 00 00 00  02 00 00 00 00 00 00 00
> |Gw.*\...........|
> 001877c0  02 9e 7e 4d 6f 64 75 6c  65 20 73 69 67 6e 61 74  |..~Module
> signat|
> 001877d0  75 72 65 20 61 70 70 65  6e 64 65 64 7e 0a        |ure
> appended~.|
> 001877de
>
> - VirtualBox's module isn't signed:
>
> localhost:/lib/modules/4.4.0-21-generic# hexdump -C
> updates/dkms/vboxdrv.ko | tail
> 000904d0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
> 000904e0  01 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00
> |................|
> 000904f0  00 00 00 00 00 00 00 00  18 3e 04 00 00 00 00 00
> |.........>......|
> 00090500  c0 d2 00 00 00 00 00 00  2c 00 00 00 a1 03 00 00
> |........,.......|
> 00090510  08 00 00 00 00 00 00 00  18 00 00 00 00 00 00 00
> |................|
> 00090520  09 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00
> |................|
> 00090530  00 00 00 00 00 00 00 00  d8 10 05 00 00 00 00 00
> |................|
> 00090540  f4 ea 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
> 00090550  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00
> |................|
> 00090560
>
> Yet it's loaded, along with other VirtualBox modules, and VirtualBox works
> fine:
>
> localhost:~# lsmod | grep vbox
> vboxpci                24576  0
> vboxnetadp             28672  0
> vboxnetflt             28672  0
> vboxdrv               454656  3 vboxnetadp,vboxnetflt,vboxpci
>
> Going back to the failed insmod. Unless Ubuntu's published
> documentation is out of date, this shouldn't happen because even an
> unsigned kernel will be loaded with SB active (in Ubuntu).
>
> --
> ubuntu-users mailing list
> ubuntu-users at lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20160425/69e0494c/attachment.html>

More information about the ubuntu-users mailing list