Debian Bug #989463 - Secure Boot 😠 - Can't load certificate

Question

Debian Bug #989463 - Secure Boot 😠 - Can't load certificate

RENANZG opened this issue a year ago · comments

Renan Zamboni Gomes commented a year ago

I don't know who to turn to so I found this repository (repository of experts...). I'm learning how to use linux (and almost becoming an software engineer... im so tired...).

I still can't sign the Kernel in Secure Boot or the wifi module.

As for the kernel:

user@debian:~$ sudo ls /var/lib/shim-signed/mok/
MOK.der  MOK.pem  MOK.priv
user@debian:~$ sudo ls /boot
config-6.1.0-10-amd64      keyfile.gpg
config-6.1.0-11-amd64      lost+found
efi                        System.map-6.1.0-10-amd64
grub                       System.map-6.1.0-11-amd64
initrd.img-6.1.0-10-amd64  vmlinuz-6.1.0-10-amd64
initrd.img-6.1.0-11-amd64  vmlinuz-6.1.0-11-amd64
user@debian:/boot$ sudo sbverify --cert /var/lib/shim-signed/mok/MOK.crt /boot/vmlinuz-6.1.0-11-amd64
Can't load certificate from file '/var/lib/shim-signed/mok/MOK.crt'
40A7D7391F7F0000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(/var/lib/shim-signed/mok/mok.crt, r)
40A7D7391F7F0000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
user@debian:~$ sudo modinfo /boot/vmlinuz-6.1.0-11-amd64
modinfo: ERROR: Module /boot/vmlinuz-6.1.0-11-amd64 not found.

user@debian:~$ sudo sbverify --list /boot/vmlinuz-6.1.0-11-amd64
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2022 - linux
   issuer:  /CN=Debian Secure Boot CA
signature 2
image signature issuers:
 - /CN=user
image signature certificates:
 - subject: /CN=user
   issuer:  /CN=user
user@debian:~$ sudo sbverify --list /boot/vmlinuz-6.1.0-10-amd64
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2022 - linux
   issuer:  /CN=Debian Secure Boot CA

As for wifi:

user@debian:~$ sudo modprobe rtw_8723du
modprobe: ERROR: could not insert 'rtw_8723du': Key was rejected by service
user@debian:~$ sudo modinfo rtw_8723du 
filename:       /lib/modules/6.1.0-11-amd64/kernel/drivers/net/weless/realtek/rtw88/rtw_8723du.ko
license:        Dual BSD/GPL
description:    Realtek 802.11n wireless 8723du driver
author:         Hans Ulli Kroll <linux@ulli-kroll.de>
alias:          usb:v7392pD611d*dc*dsc*dp*icFFiscFFipFFin*
alias:          usb:v0BDApD723d*dc*dsc*dp*icFFiscFFipFFin*
depends:        rtw_usb,usbcore,rtw_8723d
retpoline:      Y
name:           rtw_8723du
vermagic:       6.1.0-11-amd64 SMP preempt mod_unload modversion

user@debian:~$ sudo dmesg | grep  cert 
[    2.178399] Loading compiled-in X.509 certificates
[    2.204942] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    2.204969] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f'
[    2.213359] integrity: Loading X.509 certificate: UEFI:db
[    2.213408] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[    2.213410] integrity: Loading X.509 certificate: UEFI:db
[    2.213435] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[    2.215204] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.215485] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    2.215487] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.215745] integrity: Loaded X.509 cert 'user: 7a9d69f5051c39fe7b84587f816603db9499cec6'
[    2.215746] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.216001] integrity: Loaded X.509 cert 'Custom MOK: 612c79bd5af57aebc802fb2f51dd54d4c4382d41'
[  109.634564] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[  109.634859] cfg80211: Loaded X.509 cert 'benh@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf'
[  109.635145] cfg80211: Loaded X.509 cert 'romain.perier@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[  109.635465] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'

I had already reported here, but no solution:
Make sign-install - Debian 12 - linux-headers-6.1.0-11-amd64 #159
lwfinger/rtw88#159

He said:

After you sign and install the modules FOR THE FIRST TIME, you need to take special care to watch for the MOK bluescreen when you reboot. If you miss it, or dismiss it, you do not get another chance to enroll that key. You will need to do some Internet research to see how to recover, or just turn secure boot off!
Micro$oft really screwed this whole MOK stuff up badly.

And reported here, but no solutions:
[Not Solved] Secure boot error - Can't load key - Permission denied
https://forums.debian.net/viewtopic.php?p=780025#p780025

THANKS !!!!

Renan Zamboni Gomes · Answer 1 · Mon Aug 14 2023 05:36:32 GMT+0800 (China Standard Time)

[b]I'm pretty sure it has to do with DKMS, as the Debian Wiki tutorial confused me. [/b]

Some possible causes:

Cause:: Kernel module was at two different locations. I found this strange situation:

user@debian:~$ sudo ls /lib/modules/
6.1.0-10-amd64  6.1.0-11-amd64
user@debian:~$ sudo ls /var/lib/dkms
user@debian:~$ sudo ls /boot
config-6.1.0-10-amd64      keyfile.gpg
config-6.1.0-11-amd64      lost+found
efi                        System.map-6.1.0-10-amd64
grub                       System.map-6.1.0-11-amd64
initrd.img-6.1.0-10-amd64  vmlinuz-6.1.0-10-amd64
initrd.img-6.1.0-11-amd64  vmlinuz-6.1.0-11-amd64

user@debian:~$ sudo modprobe -v rtw_8723du
insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_usb.ko 
modprobe: ERROR: could not insert 'rtw_8723du': Key was rejected by service

Other signated driver "de", much more estrange:

user@debian:~$ sudo modprobe -v rtw_8723de
insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_pci.ko 
insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723de.ko 	
user@debian:~$ sudo modprobe -v rtw_8723de
????????????SHOW ONLY ONE TIME?????????????????????????

Cause: need to create a X.509 key pair (a public key and a corresponding secret key) to use as a MOK.
Cause: Error with DKMS
"With the current state of the DKMS package, if a user attempts to install any package that includes a third-party driver (Broadcom WiFi, VirtualBox, v4l2loobpack, etc.), the process of signing the newly built driver with a MOK key will fail silently. This means that any packages and hardware that require third-party drivers are currently unusable on a system with Secure Boot. This bug has been tested and verified to occur with the bcmwl-kernel-source package, but also is very likely to affect any other packages that use DKMS modules."

I think I'll try to do everything from scratch (again).

Hihi, I found a friend of yours: https://github.com/lcp/mokutil

References:
https://askubuntu.com/questions/1437877/signed-kernel-module-not-accepted
https://unix.stackexchange.com/questions/751517/insmod-causes-key-rejected-by-service
https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules
https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1991725
https://bugs.launchpad.net/ubuntu/+source/v4l2loopback/+bug/1991584
https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655

Renan Zamboni Gomes · Answer 2 · Mon Aug 14 2023 10:35:58 GMT+0800 (China Standard Time)

Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463

Julian Andres Klode · Answer 3 · Mon Aug 14 2023 16:39:38 GMT+0800 (China Standard Time)

Neither is this a bug in shim nor is this a support forum for how to sign third-party kernel modules, so closing.

Renan Zamboni Gomes · Answer 4 · Mon Aug 14 2023 21:28:04 GMT+0800 (China Standard Time)

You maintain an important repository for Linux and its philosophy of freedom (or for corporate servers?). So, it is necessary to adopt standards, or guidelines, for Linux distributions from the beginning (literally from the "bootloader") that guarantee a more user-friendly use for the common user.

The Unix philosophy is documented by Doug McIlroy[1] in the Bell System Technical Journal from 1978:[2]

Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new "features".

Expect the output of every program to become the input to another, as yet unknown, program. Don't clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don't insist on interactive input.

Design and build software, even operating systems, to be tried early, ideally within weeks. Don't hesitate to throw away the clumsy parts and rebuild them.

Use tools in preference to unskilled help to lighten a programming task, even if you have to detour to build the tools and expect to throw some of them out after you've finished using them.

Thanks