dkms with secureboot

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

dkms with secureboot

Hideki Yamane-2
Hi,

> linux (4.19.37-1) unstable; urgency=medium
(snip)
>   * Import patches to enable loading keys from UEFI db and MOK from
>     http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git to
>     allow kernel modules built by users (eg: by dkms) to be verified, and
>     to load dbx and MOKX for the equivalent blacklisting functionality.

 It seems that we can use virtualbox with secure boot enabled, however,
 I got an error as below

> $ sudo modprobe vboxdrv
> modprobe: ERROR: could not insert 'vboxdrv': Required key not available

 Do I forget to do something or need extra step for it?



--
Hideki Yamane <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: dkms with secureboot

Luca Boccassi-3
> Hi,

>
> > linux (4.19.37-1) unstable; urgency=medium
> (snip)
> >   * Import patches to enable loading keys from UEFI db and MOK from
> >    
> http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git to
> >     allow kernel modules built by users (eg: by dkms) to be
> verified, and
> >     to load dbx and MOKX for the equivalent blacklisting
> functionality.
>
>  It seems that we can use virtualbox with secure boot enabled,
> however,
>  I got an error as below
>
> > $ sudo modprobe vboxdrv
> > modprobe: ERROR: could not insert 'vboxdrv': Required key not
> available
>
>  Do I forget to do something or need extra step for it?
It requires manual steps: you need to have a personal key, load it in
MOK and use it to sign the out of tree modules manually.

I wanted to have a look at porting the dkms patches from Ubuntu that
automate that, but unfortunately I really had no spare time in the past
couple of weeks.

--
Kind regards,
Luca Boccassi

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkms with secureboot

Ben Hutchings-3
In reply to this post by Hideki Yamane-2
On Tue, 2019-06-04 at 14:53 +0900, Hideki Yamane wrote:

> Hi,
>
> > linux (4.19.37-1) unstable; urgency=medium
> (snip)
> >   * Import patches to enable loading keys from UEFI db and MOK from
> >     http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git to
> >     allow kernel modules built by users (eg: by dkms) to be verified, and
> >     to load dbx and MOKX for the equivalent blacklisting functionality.
>
>  It seems that we can use virtualbox with secure boot enabled, however,
>  I got an error as below
>
> > $ sudo modprobe vboxdrv
> > modprobe: ERROR: could not insert 'vboxdrv': Required key not available
>
>  Do I forget to do something or need extra step for it?
Yes, you would have to actually sign the module and enrol the signing
key.  Unfortunately I don't believe there's a simple way to do that at
present.

It is also possible to disable shim's signature checking using mokutil
(which then has to be confirmed interactively on the following boot).
These patches make the kernel follow shim's behaviour.  This is useful
if the system firmware makes it difficult to disable Secure Boot.

Ben.

--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkms with secureboot

Hideki Yamane-2
In reply to this post by Luca Boccassi-3
Hi,

 Thanks, Luca

On Tue, 04 Jun 2019 18:39:59 +0100
Luca Boccassi <[hidden email]> wrote:
> It requires manual steps: you need to have a personal key, load it in
> MOK and use it to sign the out of tree modules manually.
>
> I wanted to have a look at porting the dkms patches from Ubuntu that
> automate that, but unfortunately I really had no spare time in the past
> couple of weeks.

 Okay, I got it.
 How about adding this restriction in release notes?


--
Hideki Yamane <[hidden email]>