|
Bugzilla – Full Text Bug Listing |
| Summary: | virtualbox kernel module 6.1.34_k5.3.18_150300.59.76-lp153.2.30.1 will not load if secureboot is enabled | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Mark Wenzel <mark.wenzel> |
| Component: | Virtualization:Other | Assignee: | Larry Finger <Larry.Finger> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | bugrprt21882, mark.wenzel, meissner, Sauerlandlinux |
| Version: | Leap 15.3 | ||
| Target Milestone: | --- | ||
| Hardware: | x86-64 | ||
| OS: | openSUSE Leap 15.3 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Please post the output of "modinfo vboxdrv". I installed the preempt kernel, and got the following: filename: /lib/modules/5.3.18-150300.59.76-preempt/extra/vboxdrv.ko version: 6.1.34_SUSE r150636 (0x00320000) license: GPL description: Oracle VM VirtualBox Support Driver author: Oracle Corporation suserelease: SLE15-SP3 srcversion: 571610FBA9DC1653AD38EF8 depends: retpoline: Y name: vboxdrv vermagic: 5.3.18-150300.59.76-preempt SMP preempt mod_unload modversions sig_id: PKCS#7 signer: openSUSE Secure Boot CA sig_key: FA:BE:D8:BF:40:9A:5E:65 sig_hashalgo: sha256 signature: 97:C0:9E:E6:8F:F8:F9:0A:92:09:F0:5A:69:AE:18:6A:7F:E6:01:66: 6C:7B:03:70:C2:42:96:EA:9D:2B:EC:51:F9:50:43:5F:06:EB:54:94: 49:71:B6:60:99:86:8F:B7:59:5E:AD:04:9F:A6:3E:36:B1:94:2C:CD: 6D:88:89:94:B8:1A:98:E5:BC:D2:BB:E9:59:34:C6:1D:FE:51:B7:E2: AA:6F:6D:C4:FF:9F:33:B3:03:80:EC:39:04:C6:27:68:C2:74:0B:B5: 70:E3:EB:B4:15:26:AE:DC:9F:C0:E6:E7:6A:7A:A6:D0:9A:7F:A4:58: FB:7C:CF:84:FC:7A:4A:B4:69:60:F6:B9:69:32:DF:92:72:D7:93:0C: BC:03:5B:F5:98:3B:FD:10:C8:2C:83:DB:DC:A0:49:36:5A:50:A5:2F: 95:11:06:B8:C5:F2:4E:F8:2C:F1:05:72:9F:7E:36:4C:AF:1B:04:51: 3C:0E:63:24:61:6D:0A:2F:B8:B1:98:03:37:D9:6E:7E:1A:6D:F9:57: B3:3C:A1:15:74:CA:D6:C8:D5:60:94:68:00:65:F2:61:94:28:A8:4E: 27:E0:54:07:46:14:63:F0:54:10:F8:4C:B1:C4:F2:1D:43:DC:DE:7C: FE:45:67:69:75:E0:D0:D7:BE:85:AB:2C:82:20:04:42 parm: force_async_tsc:force the asynchronous TSC mode (int) That signer seems to match your key #2. What does your system say about the signing key? i released a openSUSE-signkey-cert update, after the first reboot there shoiuld be a MOK Manager dialog where you need to enrol the new 2022 key. If this did not happen, can you force reinsall of openSUSE-signing-cert zypper in -f openSUSE-signing-cert or rpm -e / zypper in reboot and see if it brings up the MOK Manager dialog to enroll the new key? I got access this morning to my only EFI system, booted and updated Leap 15.3. On reboot, I got the MOK screen, which added two new keys. The two new ones have the same issuers as the old ones. Why were new ones needed? There was another boothole secure boot bypass issue (less public than the previous ones) which needed us to switch to a new secure boot key. (In reply to Marcus Meissner from comment #4) > There was another boothole secure boot bypass issue (less public than the > previous ones) which needed us to switch to a new secure boot key. Thanks for the info. My output of
# modinfo vboxdrv
is the same as yours:
filename: /lib/modules/5.3.18-150300.59.76-preempt/extra/vboxdrv.ko
version: 6.1.34_SUSE r150636 (0x00320000)
license: GPL
description: Oracle VM VirtualBox Support Driver
author: Oracle Corporation
suserelease: SLE15-SP3
srcversion: 571610FBA9DC1653AD38EF8
depends:
retpoline: Y
name: vboxdrv
vermagic: 5.3.18-150300.59.76-preempt SMP preempt mod_unload modversions
sig_id: PKCS#7
signer: openSUSE Secure Boot CA
sig_key: FA:BE:D8:BF:40:9A:5E:65
sig_hashalgo: sha256
signature: 97:C0:9E:E6:8F:F8:F9:0A:92:09:F0:5A:69:AE:18:6A:7F:E6:01:66:
6C:7B:03:70:C2:42:96:EA:9D:2B:EC:51:F9:50:43:5F:06:EB:54:94:
49:71:B6:60:99:86:8F:B7:59:5E:AD:04:9F:A6:3E:36:B1:94:2C:CD:
6D:88:89:94:B8:1A:98:E5:BC:D2:BB:E9:59:34:C6:1D:FE:51:B7:E2:
AA:6F:6D:C4:FF:9F:33:B3:03:80:EC:39:04:C6:27:68:C2:74:0B:B5:
70:E3:EB:B4:15:26:AE:DC:9F:C0:E6:E7:6A:7A:A6:D0:9A:7F:A4:58:
FB:7C:CF:84:FC:7A:4A:B4:69:60:F6:B9:69:32:DF:92:72:D7:93:0C:
BC:03:5B:F5:98:3B:FD:10:C8:2C:83:DB:DC:A0:49:36:5A:50:A5:2F:
95:11:06:B8:C5:F2:4E:F8:2C:F1:05:72:9F:7E:36:4C:AF:1B:04:51:
3C:0E:63:24:61:6D:0A:2F:B8:B1:98:03:37:D9:6E:7E:1A:6D:F9:57:
B3:3C:A1:15:74:CA:D6:C8:D5:60:94:68:00:65:F2:61:94:28:A8:4E:
27:E0:54:07:46:14:63:F0:54:10:F8:4C:B1:C4:F2:1D:43:DC:DE:7C:
FE:45:67:69:75:E0:D0:D7:BE:85:AB:2C:82:20:04:42
parm: force_async_tsc:force the asynchronous TSC mode (int)
The MOK Manager dialog does not appear on reboot. So I tried to force reinstalling the keys:
# zypper in -f openSUSE-signing-cert
Loading repository data...
Reading installed packages...
'openSUSE-signing-cert' not found in package names. Trying capabilities.
No provider of 'openSUSE-signing-cert' found.
Resolving package dependencies...
Nothing to do.
So I looked at the repos if there is something wrong:
# zypper lr --uri -E
Repository priorities are without effect. All enabled repositories share the same priority.
# | Alias | Name | Enabled | GPG Check | Refresh | URI
---+---------------------------------+--------------------------------------------------------------+---------+-----------+---------+------------------------------------------------------------------
2 | bareos | Bareos Community Release | Yes | (r ) Yes | Yes | https://download.bareos.org/bareos/release/21/openSUSE_Leap_15.3/
3 | download.opensuse.org-non-oss | Haupt-Repository (NON-OSS) | Yes | (r ) Yes | Yes | http://download.opensuse.org/distribution/leap/15.3/repo/non-oss/
4 | download.opensuse.org-non-oss_1 | Aktualisierungs-Repository (Nicht-Open-Source-Software) | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.3/non-oss/
5 | download.opensuse.org-oss | Haupt-Repository (OSS) | Yes | (r ) Yes | Yes | http://download.opensuse.org/distribution/leap/15.3/repo/oss/
6 | download.opensuse.org-oss_1 | Hauptaktualisierungs-Repository | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.3/oss
11 | repo-backports-update | Update repository of openSUSE Backports | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.3/backports/
17 | repo-sle-update | Update repository with updates from SUSE Linux Enterprise 15 | Yes | (r ) Yes | Yes | http://download.opensuse.org/update/leap/15.3/sle/
That looks normal from my point of view...
i+ | openSUSE-signkey-cert | Paket | 20220613-lp153.2.3.1 | x86_64 | Main Update Repository If you want to get it into mok see: https://forums.opensuse.org/showthread.php/560900-Help-on-booting-to-a-5-14-11-kernel-stable-backports-kernel-with-secure-boot-(or-must-I-disable)?p=3073187#post3073187 I found the typo in the command: wrong: zypper in -f openSUSE-signing-cert correct: zypper in -f openSUSE-signkey-cert After that the MOK Manager dialog appears on reboot. After enrolling and system startup the vboxdrv could be loaded. I don't know why this did not happened on first install of new cert or it may be overseen and the system started without enrolling. If it was overseen: Should not the dialog show on the next reboot? (In reply to Mark Wenzel from comment #8) > I found the typo in the command: > wrong: > zypper in -f openSUSE-signing-cert > correct: > zypper in -f openSUSE-signkey-cert > > After that the MOK Manager dialog appears on reboot. After enrolling and > system startup the vboxdrv could be loaded. I don't know why this did not > happened on first install of new cert or it may be overseen and the system > started without enrolling. If it was overseen: Should not the dialog show on > the next reboot? No, you get one shot. If the MOK utility times out, it will continue to boot without updating the keys and it will never ask again unless you poke it the way you did. I am going to close this bug report. *** Bug 1201663 has been marked as a duplicate of this bug. *** |
After upgrading to the latest patches the kernel module for virtualbox virtualbox-kmp-preempt in version 6.1.34_k5.3.18_150300.59.76-lp153.2.30.1 does not load any more with Kernel 5.3.18-150300.59.76-preempt. dmesg shows the following Message: vboxdrv: Loading of module with unavailable key is rejected It seems that the signature of the kernel module is invalid. mokutil lists two keys: # mokutil --list-enrolled [key 1] SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8 Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de Validity Not Before: Apr 18 14:33:41 2013 GMT Not After : Mar 14 14:33:41 2035 GMT Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg, O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c: c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd: f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71: 9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35: cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe: 26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8: 1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29: f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b: a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58: 35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5: da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6: 0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74: a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8: 1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2: b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d: e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2: 13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43: 3d:75 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F X509v3 Authority Key Identifier: keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F DirName:/CN=SUSE Linux Enterprise Secure Boot CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build Team/emailAddress=build@suse.de serial:01 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29: d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f: b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09: 70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8: 3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7: 44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e: 4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0: 4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca: 1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2: e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42: 83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90: f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24: 10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39: 19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1: b4:61:6b:4e [key 2] SHA1 Fingerprint: bd:d3:1a:9e:0f:7e:d3:12:76:84:65:e6:57:8e:0d:c0:00:64:46:16 Certificate: Data: Version: 3 (0x2) Serial Number: fa:be:d8:bf:40:9a:5e:64 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Validity Not Before: Mar 2 13:01:54 2021 GMT Not After : Jan 9 13:01:54 2031 GMT Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE Project/emailAddress=build@opensuse.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f2:c8:f4:01:12:b8:0d:1a:a9:72:e0:47:05:fb: 95:4d:6d:77:a1:e1:0b:73:a3:fa:4c:0a:24:9b:c5: fe:4c:00:fb:5b:e2:5b:fd:5c:0b:8b:d2:f6:6b:a2: 80:51:de:dd:be:02:3f:06:7d:59:1c:5b:e5:6c:a2: de:7c:4f:d5:f8:d8:c0:59:b2:80:19:ea:5a:fc:cc: 4f:11:99:04:5b:a1:71:04:29:48:f0:db:8d:63:84: 88:5b:29:55:96:ef:90:11:7b:b7:47:2e:d4:47:29: 29:a1:e5:fa:93:ea:55:d5:ab:87:5d:66:93:b6:d2: 8e:76:06:01:9d:01:14:74:37:6e:78:42:b8:7d:7e: a7:83:c8:30:b0:05:64:84:50:f6:cb:96:f6:de:5c: 68:ea:07:2b:aa:62:7e:2b:0e:63:2f:96:47:76:bf: d8:01:53:09:92:1d:64:8b:9e:56:9b:cf:1e:11:a0: 8c:40:e8:13:4c:27:a0:08:39:94:a0:e7:f9:20:14: 4b:b2:62:5b:2f:e1:75:3d:94:73:f3:a3:1f:5a:27: 5e:2f:7d:91:35:83:38:cc:10:03:e8:36:77:b2:40: 3e:d2:ee:7a:97:0a:a6:25:1b:15:a4:7e:ec:a2:58: 5a:19:1f:8a:de:96:63:3e:34:b0:2e:90:3c:c0:07: 22:3f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 9D:DF:43:D9:F1:A0:27:27:3F:52:C6:C0:77:59:08:EE:01:67:13:25 X509v3 Authority Key Identifier: keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62 DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE Project/emailAddress=build@opensuse.org serial:01 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption 9e:32:bb:ac:bd:d3:fc:5b:b8:e3:71:10:48:1d:dc:57:65:7c: e2:94:1c:39:c4:1f:dd:d0:92:c7:c5:53:d7:86:53:82:4a:75: 44:63:38:aa:be:15:f1:fa:00:ec:5c:ab:f5:41:3e:c7:6c:c4: 33:37:15:cb:67:99:d9:a8:a1:3b:fa:9a:43:f2:46:66:2f:1c: a7:5a:63:ab:49:cd:31:44:23:81:71:74:60:6c:a7:41:a9:e3: 6f:fe:3c:57:97:8e:17:d6:75:87:fc:10:d0:72:12:4d:d9:30: b2:f1:94:4b:49:5e:1d:3d:cb:8d:75:8d:44:bf:50:06:9d:50: 8b:90:39:20:4e:6d:f2:fa:57:3b:10:2f:1c:d4:ec:2a:cc:7a: c7:6a:7c:47:7c:95:2d:7e:eb:63:ce:31:bc:12:42:a8:70:d8: f6:d6:03:43:65:5b:55:7e:c2:13:0e:71:f4:57:df:a1:b6:29: 63:fb:35:94:25:7f:7e:13:93:86:6f:ea:fe:9f:4f:af:78:72: 77:12:8f:e0:fa:31:c7:00:6d:20:8f:e9:d3:32:53:31:61:04: 7c:eb:0a:ff:30:12:de:ff:0b:b6:5c:fc:de:04:e4:59:7f:b6: a1:7a:63:fd:64:45:b1:85:88:11:74:cf:c0:49:b8:33:06:16: c7:0e:6b:33