5

Summary

I'm running Ubuntu 20.04.1 with default kernel 5.4.0-42-generic (installed from Main) on a UEFI system. I want to load two kernel modules ("ashmem" and "binder") with Secure Boot enabled. At least for me, "binder" loads fine with Secure Boot enabled, but "ashmem" does not load with Secure Boot enabled. Both modules load with Secure Boot disabled.

Details

Kernel Packages (installed from Main)

  • linux-headers-5.4.0-42

  • linux-headers-5.4.0-42-generic

  • linux-image-5.4.0-42-generic

  • linux-modules-5.4.0-42-generic

  • linux-modules-extra-5.4.0-42-generic

Secure Boot disabled

With Secure Boot disabled, I can load the module "ashmem" using the following:

sudo modprobe ashmem_linux

Moreover, with Secure Boot disabled, I can load the module "binder" using the following:

sudo modprobe binder_linux

So, all is good with Secure Boot disabled.

Secure Boot enabled

With Secure Boot enabled, I can not load the module "ashmem" using the following:

sudo modprobe ashmem_linux

Upon attempting to do so, I get the following:

modprobe: ERROR: could not insert 'ashmem_linux': Operation not permitted

However, even with Secure Boot enabled, I can still load the module "binder" without any problem using the following:

sudo modprobe binder_linux

So, I'm puzzled why "binder" loads with Secure Boot enabled, but "ashmem" does not load with with Secure Boot enabled.

And for what it's worth, I haven't had any other problems using Secure Boot.

Questions

  1. Is there a way to force "ashmem" to load with Secure Boot enabled?

  2. Is the inability to load "ashmem" with Secure Boot enabled a feature or a bug?

  3. And if it is a bug, where on Launchpad would be the best place to report the bug?

Addendum

To the above, I’ll add that I had enabled Secure Boot (and enrolled MOK) during the initial clean installation of Ubuntu 20.04. Even so, following the excellent suggestion provided by Rinzwind, I ran the following after the initial installation:

sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko

And after running the above, I re-ran:

sudo modprobe ashmem_linux

sudo modprobe binder_linux


lsmod | grep -e ashmem_linux -e binder_linux

SUCCESS! Both “ashmem” and “binder” loaded! Thanks Rinzwind!!

What’s more, Anbox starts for me now with Secure Boot enabled, which was my end goal. :)

Given that both “ashmem” and “binder” now load for me with Secure Boot enabled, I’m marking this question as ANSWERED. However, I noticed another error regarding the “binder” module. For those interested, I posted a question related to that error here.

GizmoChicken
  • 213
  • 3
  • 8
  • 1
    Secure boot only works with signed modules. So "binder" is a signed module "ashmem" is not. See https://wiki.ubuntu.com/UEFI/SecureBoot or https://ubuntu.com/blog/how-to-sign-things-for-secure-boot for manual signing. – Rinzwind Aug 17 '20 at 07:16
  • @Rinzwind Thanks much! I figured something related to signing was at play. But, given that ashmem is module that's shipped with the default kernel, I'm still curious why it isn't signed. Are many of the modules shipped with the default kernel unsigned? And if ashmem is a rare exception, where on Launchpad would I go about requesting that I signed version be shipped with default kernels in the future? – GizmoChicken Aug 17 '20 at 07:27
  • 1
    how did you install it? Cuz "Simply install the package you need. Packages that make use of DKMS should prompt you to create a new Machine-Owner key (it will be done for you), and will guide you through the steps to enroll that key in your system's firmware." seems to me it is automated through that software's dkms package (for anbox it would be anbox-modules-dkms. – Rinzwind Aug 17 '20 at 07:39
  • 1
    found a command for manual signing. see if it works :) – Rinzwind Aug 17 '20 at 07:40
  • @Rinzwind Regarding the installation, I had enabled Secure Boot (and enrolled MOK) during the initial clean installation of Ubuntu 20.04. Given that “binder” module loaded without issue with Secure Boot enabled, I assumed that the “ashmem” module would load too, without need for another enrollment. Lesson learned: don’t assume. :) – GizmoChicken Aug 17 '20 at 17:50
  • @Rinzwind Care to speculate regarding why I needed to use “kmodsign” for the “ashmem” module, but not for the “binder” module? Could it be that the “ashmem” module is located in “/kernel/drivers/staging/android/” while the binder module is in /kernel/drivers/android/? – GizmoChicken Aug 17 '20 at 17:50
  • 1
    noooooo idea sorry :D might be it though. – Rinzwind Aug 17 '20 at 18:00

1 Answers1

8

You need to sign the module. Looks like it can be done with:

kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko
Rinzwind
  • 299,756
  • SUCCESS! The “ashmem” module now starts with Secure Boot enabled. Thanks so much! Regarding my initial installation of Ubuntu 20.04, please see my response to your comment appended to my original question. – GizmoChicken Aug 17 '20 at 17:51
  • hmm the command kmodsign works (returns [0]), but sudo modprobe ashmem_linux still fails the same way for me :/ – JonasVautherin Aug 28 '20 at 17:12
  • 1
    Oh, enrolling a key did it: https://ubuntu.com/blog/how-to-sign-things-for-secure-boot. Thanks! – JonasVautherin Aug 28 '20 at 17:21
  • I am getting this "
    At main.c:248:
    • SSL error:0200100D:system library:fopen:Permission denied: ../crypto/bio/bss_file.c:69
    • SSL error:2006D002:BIO routines:BIO_new_file:system lib: ../crypto/bio/bss_file.c:78

    kmodsign: /var/lib/shim-signed/mok/MOK.priv: Permission denied "

     – randomUser Oct 25 '20 at 04:53
  • you must use sudo command. @BigGorilla – Estatistics Feb 10 '22 at 18:34