lost wifi, ethernet, docking station with 16.04 kernel signing.

Wed Apr 27 09:23:45 UTC 2016

On Tue, Apr 26, 2016 at 4:13 AM, Peter Silva <peter at bsqt.homeip.net> wrote:
> On Mon, Apr 25, 2016 at 8:25 PM, Tom H <tomh0665 at gmail.com> wrote:
>> On Tue, Apr 26, 2016 at 2:15 AM, Tom H <tomh0665 at gmail.com> wrote:
>>> On Tue, Apr 26, 2016 at 1:26 AM, Peter Silva <peter at bsqt.homeip.net>
>>> wrote:
>>>>
>>>> I boot 4.4.0-18 and all the modules insert just fine.
>>>> 4.4.0-19 and later I get the error message.
>>>
>>> Please bottom-post.
>>>
>>> My apologies. I always assumed that setting the MODULE_SIG* would
>>> force the kernel to check for signed modules in general as well as for
>>> signed modules in the SB case but I had some doubts.
>>>
>>> Given your problem, I had the rather silly idea of grepping through
>>> the 4.4.0-21 kernel config for "EFI" and I found
>>> "EFI_SECURE_BOOT_SIG_ENFORCE".
>>>
>>> I couldn't find it in my upstream 4.6-rc5 kconfig but I did find it in
>>> an Ubuntu patch, "linux_4.4.0-21.37.diff", and it means "Force module
>>> signing when UEFI Secure Boot is enabled".
>>>
>>> Check -18 and -19 for this. It's probably off or non-existent in -18.
>>>
>>> So Ubuntu's killed dkms-dependent packages (or otherwise
>>> locally-compiled modules) with SB active - unless you compile and sign
>>> your own stuff.
>>
>> I've found the "EFI_SECURE_BOOT_SIG_ENFORCE" bug:
>>
>> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1566221
>>
>> You can use dkms modules after running "sudo mokutil
>> --disable-validation" so it might/should work for your
>> locally-compiled modules.
>
> This made no difference. I did mokutil --disable-validation, it prompted
> for a password twice... did not know if it was setting one or asking for a
> known one then returned (usually means success in linux.)
>
> tried rebooting... same behaviour.

:(

No idea. The guy posted to the bug report says that it worked for him.
I have SB disabled so I can't check whether it works for me.

> went into bios. Disabled secure boot for now...
> now can boot and run modules on 4.4.0-22.
>
> A lot of people need external modules.
> Any easy recipes to sign modules for non kdevs somewhere?

(OTT remark: it's called firmware on efi not bios)

Someone posted a link earlier in this thread.

Signing the modules is straightforward; you have to choose
"Automatically sign all modules" in the kernel config and copy your
cert to "./certs/signing_key.pem" (or point at another location via
"MODULE_SIG_KEY" in the kernel config).

You then have to sign your out-of-tree, locally-compiled modules with that cert.

It's the generation and uploading of keys that's more involved.

I've been intending to go through the rigmarole of working with my own
keys and enabling SB but I've been putting it off because I'd rather
not figure out what has to be done, forget about it, and then have to
re-learn it when I buy a new laptop. If SB becomes compulsory on
servers, I'l bite the bullet.