Bug#935945: linux-image-5.2.0-2-amd64: does not load signed kernel modules when UEFI Secure Boot is enabled
Package: src:linux
Version: 5.2.9-2
Severity: important
Dear Maintainer,
* What led up to the situation?
I regularly update Debian Testing (bullseye) on multiple computers. Two days ago something broke when kernel update from 4.19 to 5.2 arrived. Could you please help me to troubleshoot it?
* What exactly did you do (or not do) that was effective (or ineffective)?
On computer with UEFI but without enabled Secure Boot everything works just fine and I can load DKMS ZFS module with kernel 5.2.0-2-amd64. On a computer with secure boot enabled I can’t load ZFS kernel module that is signed using my own key that was enrolled into UEFI using "mokutil".
* What was the outcome of this action?
as root:
# modprobe zfs
modprobe: ERROR: could not insert 'zfs': Operation not permitted
* What outcome did you expect instead?
Load it as usually. I was able to reproduce the same issue on a different computer with Secure Boot and signed modules.
A few notes:
* It works (modules are loaded) after I boot back to linux-image-4.19.0-5-amd64 (but this is not a solution)
* It works (modules are loaded) after I disable Secure Boot (but this is not a solution)
* I'm sure that the modules are signed. I tested using:
find /lib/modules -name '*.ko' -exec grep -FL '~Module signature appended~' {} \+
* I can check that the key was loaded from UEFI during boot
Boot log with `4.19.0-5-amd64`
-------------------------------
Aug 26 20:34:54 bedik002 kernel: efi: EFI v2.50 by INSYDE Corp.
Aug 26 20:34:54 bedik002 kernel: efi: ACPI 2.0=0x7fffd014 SMBIOS=0x7f0d9000 SMBIOS 3.0=0x7f0d7000 ESRT=0x7f0d4158 MEMATTR=0x6f699018 TPMEventLog=0x66e32018
Aug 26 20:34:54 bedik002 kernel: Kernel is locked down from EFI secure boot; see https://wiki.debian.org/SecureBoot
Aug 26 20:34:54 bedik002 kernel: ACPI: UEFI 0x000000007FFFC000 000236 (v01 HPQOEM 8362 00000001 HP 00040000)
Aug 26 20:34:54 bedik002 kernel: ACPI: UEFI 0x000000007FFFB000 000042 (v01 HPQOEM 8362 00000002 HP 00040000)
Aug 26 20:34:54 bedik002 kernel: clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
Aug 26 20:34:54 bedik002 kernel: pci 0000:00:02.0: BAR 2: assigned to efifb
Aug 26 20:34:54 bedik002 kernel: Registered efivars operations
Aug 26 20:34:54 bedik002 kernel: Asymmetric key parser 'x509' registered
Aug 26 20:34:54 bedik002 kernel: efifb: probing for efifb
Aug 26 20:34:54 bedik002 kernel: efifb: framebuffer at 0x90000000, using 8100k, total 8100k
Aug 26 20:34:54 bedik002 kernel: efifb: mode is 1920x1080x32, linelength=7680, pages=1
Aug 26 20:34:54 bedik002 kernel: efifb: scrolling: redraw
Aug 26 20:34:54 bedik002 kernel: efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0
Aug 26 20:34:54 bedik002 kernel: fb0: EFI VGA frame buffer device
Aug 26 20:34:54 bedik002 kernel: Loading compiled-in X.509 certificates
Aug 26 20:34:54 bedik002 kernel: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
Aug 26 20:34:54 bedik002 kernel: Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def'
Aug 26 20:34:54 bedik002 kernel: Loaded UEFI:db cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' linked to secondary sys keyring
Aug 26 20:34:54 bedik002 kernel: Loaded UEFI:db cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to secondary sys keyring
Aug 26 20:34:54 bedik002 kernel: Loaded UEFI:db cert 'Hewlett-Packard Company: HP UEFI Secure Boot 2013 DB key: 1d7cf2c2b92673f69c8ee1ec7063967ab9b62bec' linked to secondary sys keyring
my key:
Aug 26 20:34:54 bedik002 kernel: Loaded UEFI:MokListRT cert 'bedik002 module signing key: b1025ea690c4c8f9593b0a158045e72586a3c12f' linked to secondary sys keyring
Aug 26 20:34:54 bedik002 kernel: Loaded UEFI:MokListRT cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' linked to secondary sys keyring
Aug 26 20:34:54 bedik002 kernel: fb: switching to inteldrmfb from EFI VGA
Aug 26 20:34:54 bedik002 kernel: EFI Variables Facility v0.08 2004-May-17
Aug 26 20:34:54 bedik002 kernel: pstore: Registered efi as persistent store backend
Aug 26 20:34:56 bedik002 systemd[1]: Mounting /boot/efi...
Aug 26 20:34:56 bedik002 systemd[1]: Mounted /boot/efi.
Aug 26 20:35:03 bedik002 systemd[1841]: Listening on GnuPG network certificate management daemon.
Aug 26 20:35:08 bedik002 systemd[2187]: Listening on GnuPG network certificate management daemon.
-------------------------------
Boot log with `5.2.0-2-amd64` (looks different but it does load the key)
-------------------------------
Aug 26 20:39:37 bedik002 kernel: efi: EFI v2.50 by INSYDE Corp.
Aug 26 20:39:37 bedik002 kernel: efi: ACPI 2.0=0x7fffd014 SMBIOS=0x7f0d9000 SMBIOS 3.0=0x7f0d7000 ESRT=0x7f0d4158 MEMATTR=0x6f699018 TPMEventLog=0x66e32018
Aug 26 20:39:37 bedik002 kernel: Kernel is locked down from EFI secure boot; see https://wiki.debian.org/SecureBoot
Aug 26 20:39:37 bedik002 kernel: ACPI: UEFI 0x000000007FFFC000 000236 (v01 HPQOEM 8362 00000001 HP 00040000)
Aug 26 20:39:37 bedik002 kernel: ACPI: UEFI 0x000000007FFFB000 000042 (v01 HPQOEM 8362 00000002 HP 00040000)
Aug 26 20:39:37 bedik002 kernel: clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
Aug 26 20:39:37 bedik002 kernel: ACPI: Core revision 20190509
Aug 26 20:39:37 bedik002 kernel: pci 0000:00:02.0: BAR 2: assigned to efifb
Aug 26 20:39:37 bedik002 kernel: Registered efivars operations
Aug 26 20:39:37 bedik002 kernel: Asymmetric key parser 'x509' registered
Aug 26 20:39:37 bedik002 kernel: efifb: probing for efifb
Aug 26 20:39:37 bedik002 kernel: efifb: framebuffer at 0x90000000, using 8100k, total 8100k
Aug 26 20:39:37 bedik002 kernel: efifb: mode is 1920x1080x32, linelength=7680, pages=1
Aug 26 20:39:37 bedik002 kernel: efifb: scrolling: redraw
Aug 26 20:39:37 bedik002 kernel: efifb: Truecolor: size=8:8:8:8, shift=24:16:8:0
Aug 26 20:39:37 bedik002 kernel: fb0: EFI VGA frame buffer device
Aug 26 20:39:37 bedik002 kernel: Loading compiled-in X.509 certificates
Aug 26 20:39:37 bedik002 kernel: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
Aug 26 20:39:37 bedik002 kernel: Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def'
Aug 26 20:39:37 bedik002 kernel: integrity: Loading X.509 certificate: UEFI:db
Aug 26 20:39:37 bedik002 kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Aug 26 20:39:37 bedik002 kernel: integrity: Loading X.509 certificate: UEFI:db
Aug 26 20:39:37 bedik002 kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Aug 26 20:39:37 bedik002 kernel: integrity: Loading X.509 certificate: UEFI:db
Aug 26 20:39:37 bedik002 kernel: integrity: Loaded X.509 cert 'Hewlett-Packard Company: HP UEFI Secure Boot 2013 DB key: 1d7cf2c2b92673f69c8ee1ec7063967ab9b62bec'
Aug 26 20:39:37 bedik002 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT
my key:
Aug 26 20:39:37 bedik002 kernel: integrity: Loaded X.509 cert 'bedik002 module signing key: b1025ea690c4c8f9593b0a158045e72586a3c12f'
Aug 26 20:39:37 bedik002 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT
Aug 26 20:39:37 bedik002 kernel: integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
Aug 26 20:39:37 bedik002 kernel: fb0: switching to inteldrmfb from EFI VGA
Aug 26 20:39:37 bedik002 kernel: EFI Variables Facility v0.08 2004-May-17
Aug 26 20:39:37 bedik002 kernel: pstore: Registered efi as persistent store backend
Aug 26 20:39:38 bedik002 systemd[1]: Mounting /boot/efi...
Aug 26 20:39:38 bedik002 systemd[1]: Mounted /boot/efi.
Aug 26 20:39:42 bedik002 systemd[1201]: Listening on GnuPG network certificate management daemon.
Aug 26 20:39:55 bedik002 systemd[1546]: Listening on GnuPG network certificate management daemon.
-------------------------------
-- Package-specific info:
** Version:
Linux version 5.2.0-2-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-21)) #1 SMP Debian 5.2.9-2 (2019-08-21)
** Command line:
BOOT_IMAGE=/vmlinuz-5.2.0-2-amd64 root=/dev/mapper/sda_crypted ro rootflags=subvol=btroot systemd.show_status=1 quiet quiet
** Not tainted
** Kernel log:
Unable to read kernel log; any relevant messages should be attached
** Model information
sys_vendor: HP
product_name: HP Pavilion Laptop 14-bk0xx
product_version: Type1ProductConfigId
chassis_vendor: HP
chassis_version: Chassis Version
bios_vendor: Insyde
bios_version: F.18
board_vendor: HP
board_name: 8362
board_version: 46.24
** Loaded modules:
nft_limit
bnep
nft_reject_ipv6
nf_reject_ipv6
nft_reject
fuse
nft_ct
nsh
nf_conncount
nf_nat
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
nf_tables_set
nft_counter
nf_tables
nfnetlink
nls_ascii
nls_cp437
vfat
fat
ext4
mbcache
jbd2
crc32c_generic
snd_soc_skl
snd_soc_skl_ipc
snd_hda_codec_hdmi
snd_soc_sst_ipc
snd_soc_sst_dsp
snd_hda_ext_core
snd_soc_acpi_intel_match
snd_soc_acpi
snd_hda_codec_realtek
intel_rapl
snd_hda_codec_generic
ledtrig_audio
snd_soc_core
snd_compress
x86_pkg_temp_thermal
intel_powerclamp
coretemp
snd_hda_intel
btusb
btrtl
btbcm
btintel
kvm_intel
bluetooth
snd_hda_codec
snd_hda_core
uvcvideo
iwlwifi
snd_hwdep
kvm
snd_pcm
videobuf2_vmalloc
joydev
videobuf2_memops
irqbypass
videobuf2_v4l2
snd_timer
videobuf2_common
efi_pstore
intel_cstate
cfg80211
videodev
intel_uncore
drbg
media
serio_raw
wmi_bmof
pcspkr
intel_rapl_perf
hp_wmi
ansi_cprng
sparse_keymap
efivars
snd
ecdh_generic
iTCO_wdt
iTCO_vendor_support
elan_i2c
ecc
mei_me
watchdog
rfkill
soundcore
crc16
sg
mei
processor_thermal_device
intel_pch_thermal
intel_soc_dts_iosf
battery
tpm_crb
hp_accel
int3403_thermal
tpm_tis
int340x_thermal_zone
pcc_cpufreq
tpm_tis_core
lis3lv02d
tpm
input_polldev
hp_wireless
rng_core
evdev
ac
int3400_thermal
acpi_thermal_rel
acpi_pad
sha512_ssse3
sunrpc
sha512_generic
efivarfs
ip_tables
x_tables
autofs4
btrfs
xor
zstd_decompress
zstd_compress
raid6_pq
libcrc32c
dm_crypt
dm_mod
sd_mod
crct10dif_pclmul
crc32_pclmul
i915
crc32c_intel
ghash_clmulni_intel
i2c_algo_bit
aesni_intel
drm_kms_helper
xhci_pci
xhci_hcd
ahci
libahci
aes_x86_64
crypto_simd
cryptd
r8169
libata
psmouse
glue_helper
usbcore
drm
i2c_i801
scsi_mod
realtek
libphy
usb_common
wmi
video
button
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-5.2.0-2-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.135
ii kmod 26-1
ii linux-base 4.6
Versions of packages linux-image-5.2.0-2-amd64 recommends:
ii apparmor 2.13.3-4
ii firmware-linux-free 3.4
Versions of packages linux-image-5.2.0-2-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-efi-amd64 2.04-2
pn linux-doc-5.2 <none>
Versions of packages linux-image-5.2.0-2-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: