Kernel Lockdown on 18.10 is blocking personally signed DKMS Modules. Can I disable it?
up vote
0
down vote
favorite
I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).
Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).
In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:
... [ 278.847882] PKCS#7 signature not signed with a trusted key
... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7
Module is signed and DKMS is listed when I input
dkms status
but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?
I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.
I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?
kernel uefi 18.10
add a comment |
up vote
0
down vote
favorite
I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).
Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).
In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:
... [ 278.847882] PKCS#7 signature not signed with a trusted key
... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7
Module is signed and DKMS is listed when I input
dkms status
but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?
I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.
I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?
kernel uefi 18.10
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).
Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).
In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:
... [ 278.847882] PKCS#7 signature not signed with a trusted key
... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7
Module is signed and DKMS is listed when I input
dkms status
but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?
I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.
I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?
kernel uefi 18.10
I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).
Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).
In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:
... [ 278.847882] PKCS#7 signature not signed with a trusted key
... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7
Module is signed and DKMS is listed when I input
dkms status
but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?
I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.
I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?
kernel uefi 18.10
kernel uefi 18.10
edited Nov 21 at 4:23
asked Nov 20 at 6:26
thebunnyrules
34529
34529
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.
New contributor
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.
New contributor
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
add a comment |
up vote
0
down vote
I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.
New contributor
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
add a comment |
up vote
0
down vote
up vote
0
down vote
I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.
New contributor
I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.
New contributor
New contributor
answered Nov 20 at 14:30
John
1
1
New contributor
New contributor
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
add a comment |
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
– thebunnyrules
Nov 21 at 4:26
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1094426%2fkernel-lockdown-on-18-10-is-blocking-personally-signed-dkms-modules-can-i-disab%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown