Kernel Lockdown on 18.10 is blocking personally signed DKMS Modules. Can I disable it?











up vote
0
down vote

favorite












I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).



Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).



In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:



... [  278.847882] PKCS#7 signature not signed with a trusted key
... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7


Module is signed and DKMS is listed when I input



dkms status


but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?



I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.



I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?










share|improve this question




























    up vote
    0
    down vote

    favorite












    I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).



    Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).



    In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:



    ... [  278.847882] PKCS#7 signature not signed with a trusted key
    ... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7


    Module is signed and DKMS is listed when I input



    dkms status


    but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?



    I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.



    I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).



      Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).



      In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:



      ... [  278.847882] PKCS#7 signature not signed with a trusted key
      ... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7


      Module is signed and DKMS is listed when I input



      dkms status


      but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?



      I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.



      I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?










      share|improve this question















      I use a Firewall app called Douane that needs a DKMS module to work. App is only available as source and I use UEFI secure boot, so I've been signing my compiled modules and enrolling the keys I sign them with in my bios via mokutil (see the procedure that I've outlined in the Douane wiki).



      Signing the modules and enrolling worked through 17.10 (kernel 4.13.x) and it even worked though 18.04 (4.15.x).



      In 18.10 (uner both 4.18.x and 4.15.x), I am getting the following error in my /var/logs/kernel.log:



      ... [  278.847882] PKCS#7 signature not signed with a trusted key
      ... [ 278.848545] Lockdown: Loading of unsigned modules is restricted; see man kernel_lockdown.7


      Module is signed and DKMS is listed when I input



      dkms status


      but I get the impression, the Lockdown in the Kernel may not be recognizing non ubuntu key?



      I tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot, so I wasn't expecting it to do anything anyway.



      I want to verify this theory by disabling Kernel Lockdown. Is there a way I can do it, or add an exception for my module or is the Lockdown mechanism hard coded into the Kernel for security robustness?







      kernel uefi 18.10






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 21 at 4:23

























      asked Nov 20 at 6:26









      thebunnyrules

      34529




      34529






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.






          share|improve this answer








          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
            – thebunnyrules
            Nov 21 at 4:26











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1094426%2fkernel-lockdown-on-18-10-is-blocking-personally-signed-dkms-modules-can-i-disab%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.






          share|improve this answer








          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
            – thebunnyrules
            Nov 21 at 4:26















          up vote
          0
          down vote













          I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.






          share|improve this answer








          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.


















          • Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
            – thebunnyrules
            Nov 21 at 4:26













          up vote
          0
          down vote










          up vote
          0
          down vote









          I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.






          share|improve this answer








          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          I had something similar happen if I logged out and closed the laptop lid, afterwards everything was frozen and I could not boot, even into recovery. I finally found that my BIOS had changed to secure boot enabled and fast boot enabled and disks configured as RAID. This was not what I had set my BIOS to at install. After resetting BIOS I was able to boot normally. I now keep my laptop lid open unless I power down.







          share|improve this answer








          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          share|improve this answer



          share|improve this answer






          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.









          answered Nov 20 at 14:30









          John

          1




          1




          New contributor




          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.





          New contributor





          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






          John is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.












          • Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
            – thebunnyrules
            Nov 21 at 4:26


















          • Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
            – thebunnyrules
            Nov 21 at 4:26
















          Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
          – thebunnyrules
          Nov 21 at 4:26




          Hi John and welcome to Ask Ubuntu! I had forgotten to mention this in my question but I've already tried disabling secure boot but it does not help. From reading on the internet, the lock-down mechanism is completely separate from the UEFI secure boot.
          – thebunnyrules
          Nov 21 at 4:26


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1094426%2fkernel-lockdown-on-18-10-is-blocking-personally-signed-dkms-modules-can-i-disab%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Ellipse (mathématiques)

          Quarter-circle Tiles

          Mont Emei