sign kernel modules

[ghost]

Hello!
How I should sign kernel modules (dkms) for loading and working properly?
At the moment I have:

modprobe: ERROR: could not insert 'vboxdrv': Operation not permitted

dmesg:

PKCS#7 signature not signed with a trusted key

Thanks in advance!

[Snawoot]

Hello!

Here is article on this topic: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/

In short, module signature required when Secure Boot is enabled. At this moment linux-secureboot-kit doesn't sign DKMS modules, but I think it is also possible to add signing hook into DKMS post-install scripts or existing kernel post-install hooks.

Recipe above uses machine owner keys (MOK) to sign modules, which enrolment requires additional reboot. Probably we don't need MOK keys and we are already good to go with our db.key and db.crt. I'll try it soon and we'll see if automation in linux-secureboot-kit can be extended to cover DKMS modules along with the rest of protected code.

[ghost]

@Snawoot thanks a lot for a fast answer!
That's good, firstly I will try sign modules with MOK, and after I will wait for signing DKMS modules by linux-secureboot-kit ;)

[ghost]

@Snawoot btw, I can't enroll MOK keys in UEFI - tool simply don't starting up on boot. I tried reset to setup mode and clean UEFI keys, but UEFI print me that: Secure Variable Update is locked down!
Also, efi-readvar print me: Variable MokList has no entries

[Snawoot]

@mrsmith0x00 Then try to sign with db.key and db.crt instead of MOK keys. I think it has to work. Please tell your results.

[Snawoot]

Some docs on this subject suggest my guess is correct: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Kernel_Administration_Guide/sect-signing-kernel-modules-for-secure-boot.html#sect-sources-for-public-keys-used-to-authenticate-kernel-modules

db keys are usable instead of MOK keys

[Snawoot]

And since they are already installed in UEFI, you don't have to add them; you may sign modules with it right away.

[ghost]

@mrsmith0x00 yeah, I think that this will work. But... I deleted my old linux-secure-boot folder with db.key and db.crt (sorry for that). Then I exported db file via efi-readvar -v db -o db.file. How can I solve this problem? Or I should reinstall all with zero?

[Snawoot]

No problem. Variables contain only certificates, so private key is lost and you have to reinstall from scratch: remove all keys from UEFI, remove SignedBoot menu entry from UEFI and run install again.

[ghost]

@Snawoot done! Via:
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /home/user/linux-secureboot-kit/db.key /home/user/linux-secureboot-kit/db.crt /lib/modules/$(uname -r)/updates/dkms/vboxdrv.ko
Thank you!

[ghost]

Thanks a lot for help! Now closed.

[Snawoot]

Nice! Now I have shallow understanding how it should be automated and probably soon it'll be included into linux-secure-boot recipes.

[Snawoot]

Short notice: automated signature for DKMS modules has been merged into master along with improved initramfs signature hooks.