On 3/7/23 10:25, Joe Salmeri wrote:
Hi Stefan,
Just that we don't use "-nodes" option, but add -addext "extendedKeyUsage=codeSigning"
Thanks I tried removing -nodes and adding that and still no luck. When I removed -nodes it also wanted a PEM pass phrase whereas with -nodes it does not.
Nevertheless now with TW's current lockdowned 6.2.1 kernel we're suffering from the same issue as you. :-(
In this article on Debian and secure boot
https://wiki.debian.org/SecureBoot
It talks about putting the *.priv and *.der files in
/var/lib/shim-signed/mok/
But I tried that and it still doesn't work.
It also says to verify your key is loaded after rebooting with
mokutil --list-enrolled shows my key is enrolled
sudo dmesg | grep cert # verify your key is loaded
And I tried and it does not list my key.
The fact that I sign the modules yet modprobe fails because it says they are unsigned leads me to believe that there is some other step which needs to be done which is causing the problem.
It seems like this kernel lockdown should not be enabled until someone can properly document the exact steps required to sign a module.
Doesn't virtualbox have this exact same issue with needing the modules signed?
Since it is in the TW repos ( whereas vmware is not ) I would expect whoever compiles virtualbox has a process for signing th modules which works so can't we reach out to them for what they are doing that we are missing?
The VirtualBox modules are signed by the build process at OBS. I do not know if the RPM package from Oracle has signed modules or not. My main system does not use EFI boot, thus secure boot is not enabled. The main reason that keys are not found is that the MOK bluescreen that happens after a new key is installed was not run properly. Once you blow through that screen, you do not get another change to install that key unless the key is deleted, the system rebooted, the key reinstalled, and the system rebooted. You will get an MOK bluescreen each of those reboots. To delete a key, use the 'mokutil --export' command to get the ".der" file, then 'sudo mokutil --delete MOK-XXXX.der' where XXXX is the number of the key to be deleted. Then reboot, but be sure to allow the MOK screen to make the changes. I have a number of repositories at GitHub that contain the logic to create and install a key, and use that key to sign modules that will install in a system with secure boot turned on. Larry