search

acidanthera / bugtracker

Acidanthera Bugtracker
385 stars 45 forks source link

OpenLinuxBoot not dealing properly with Secure Boot and/or Signed Kernel Modules #2237

Closed cakehonolulu closed 1 year ago

cakehonolulu commented 1 year ago

Hello,

I've been tinkering with Secure Boot and Signed Kernel Modules for a while and looks like we have a long-standing bug:

Signed Kernel Modules don't load (Key gets rejected, basically) under OpenLinuxBoot-ed instances of the distro.

I've double-checked and they work fine if I boot through GRUB.

Since this is a (Suspected) OpenLinuxBoot issue; I'm not really sure as to what information could be useful to properly dissect this bug.

Anyhow, I'll leave some information regarding the Laptop I'm testing this from:

Linux Distribution: Ubuntu Lunar Lobster (development branch) 23.04 DKMS Version: dkms-3.0.10 Secure Boot Enabled: Yes Enrolled MOK Cert: Yes NVIDIA Driver: 530.30.02 Beta

This has been tested with multiple Ubuntu versions (Ranging from 22.04 to the current one) and different driver versions (Stable ones, beta ones...) and it always boils down to booting from OpenLinuxBoot.

Thanks for reading.

mikebeaton commented 1 year ago

Do you have any Linux logs which help to confirm that (and when) the key gets rejected?

cakehonolulu commented 1 year ago

Indeed, the major noticeable thing when I run into the issue is that all dGPU-related tasks don't work as expected:

For example, nvidia-settings applet isn't able to get any dGPU information at all (Neither driver-level information).

You can double-check if the driver is working by issuing:

$ nvidia-smi
NVIDIA-SMI has failed because it couldn't communicate with the NVIDIA driver. Make sure that the latest NVIDIA driver is installed and running.

I'm also attatching a journalctl log (Cleaned all contents of the log and rebooted to grab a fresh journal):

mar 06 15:10:43 CS3003NS gdm3[7055]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:10:53 CS3003NS gdm3[7066]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:10:54 CS3003NS gdm3[7086]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:11:04 CS3003NS gdm3[7088]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:12:17 CS3003NS nvidia-settings-autostart.desktop[2777]: ERROR: NVIDIA driver is not loaded
mar 06 15:12:18 CS3003NS gdm3[3118]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:12:28 CS3003NS gdm3[4580]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:12:29 CS3003NS gdm3[4611]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:12:39 CS3003NS gdm3[4624]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
mar 06 15:12:40 CS3003NS gdm3[4646]: modprobe: ERROR: could not insert 'nvidia': Key was rejected by service

As you can see, all the signed *.ko files of the NVIDIA DKMS drivers fail to get loaded (nvidia-drm.ko, nvidia.ko, nvidia-modeset.ko, nvidia-peermem.ko, nvidia-uvm.ko; 5 total 'Key was rejected by service' entries in the journal).

If I try to load one of them manually:

$ sudo modprobe nvidia -vvv
modprobe: INFO: ../libkmod/libkmod.c:367 kmod_set_log_fn() custom logging function 0x557b5f6b0b30 registered
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.dep.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.symbols.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.builtin.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.builtin.bin
modprobe: DEBUG: ../libkmod/libkmod-module.c:579 kmod_module_new_from_lookup() input alias=nvidia, normalized=nvidia
modprobe: DEBUG: ../libkmod/libkmod.c:597 kmod_search_moddep() use mmaped index 'modules.dep' modname=nvidia
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='nvidia' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:413 kmod_pool_add_module() add 0x557b60617e40 key='nvidia'
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='drm' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='drm' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:413 kmod_pool_add_module() add 0x557b60617ec0 key='drm'
modprobe: DEBUG: ../libkmod/libkmod-module.c:196 kmod_module_parse_depline() add dep: /lib/modules/6.1.0-16-generic/kernel/drivers/gpu/drm/drm.ko
modprobe: DEBUG: ../libkmod/libkmod-module.c:202 kmod_module_parse_depline() 1 dependencies for nvidia
modprobe: DEBUG: ../libkmod/libkmod-module.c:584 kmod_module_new_from_lookup() lookup=nvidia found=1
modprobe: DEBUG: ../libkmod/libkmod.c:502 lookup_builtin_file() use mmaped index 'modules.builtin' modname=nvidia
modprobe: DEBUG: ../libkmod/libkmod-module.c:1817 kmod_module_get_initstate() could not open '/sys/module/nvidia/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1827 kmod_module_get_initstate() could not open '/sys/module/nvidia': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_pcsp mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=cx88_alsa mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_atiixp_modem mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_intel8x0m mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_via82xx_modem mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=bt87x mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=cx88_alsa mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=saa7134_alsa mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_atiixp_modem mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_intel8x0m mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_via82xx_modem mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_audio mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_caiaq mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_ua101 mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_us122l mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_usx2y mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_cmipci mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_pcsp mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_audio mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nvidia_drm mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nouveau mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nvidia_drm mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=bonding mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=dummy mod->name=drm mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1373 kmod_module_probe_insert_module() Ignoring module 'drm': already loaded
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_pcsp mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=cx88_alsa mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_atiixp_modem mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_intel8x0m mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_via82xx_modem mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=bt87x mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=cx88_alsa mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=saa7134_alsa mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_atiixp_modem mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_intel8x0m mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_via82xx_modem mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_audio mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_caiaq mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_ua101 mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_us122l mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_usx2y mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_cmipci mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_pcsp mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=snd_usb_audio mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nvidia_drm mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nouveau mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=nvidia_drm mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=bonding mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1461 kmod_module_get_options() modname=dummy mod->name=nvidia mod->alias=(null)
modprobe: DEBUG: ../libkmod/libkmod-module.c:1817 kmod_module_get_initstate() could not open '/sys/module/nvidia/initstate': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:1827 kmod_module_get_initstate() could not open '/sys/module/nvidia': No such file or directory
modprobe: DEBUG: ../libkmod/libkmod-module.c:802 kmod_module_get_path() name='nvidia' path='/lib/modules/6.1.0-16-generic/updates/dkms/nvidia.ko'
modprobe: DEBUG: ../libkmod/libkmod-module.c:802 kmod_module_get_path() name='nvidia' path='/lib/modules/6.1.0-16-generic/updates/dkms/nvidia.ko'
insmod /lib/modules/6.1.0-16-generic/updates/dkms/nvidia.ko 
modprobe: DEBUG: ../libkmod/libkmod-module.c:802 kmod_module_get_path() name='nvidia' path='/lib/modules/6.1.0-16-generic/updates/dkms/nvidia.ko'
modprobe: INFO: ../libkmod/libkmod-module.c:949 kmod_module_insert_module() Failed to insert module '/lib/modules/6.1.0-16-generic/updates/dkms/nvidia.ko': Key was rejected by service
modprobe: ERROR: could not insert 'nvidia': Key was rejected by service
modprobe: DEBUG: ../libkmod/libkmod-module.c:469 kmod_module_unref() kmod_module 0x557b60617e40 released
modprobe: DEBUG: ../libkmod/libkmod.c:421 kmod_pool_del_module() del 0x557b60617e40 key='nvidia'
modprobe: DEBUG: ../libkmod/libkmod-module.c:469 kmod_module_unref() kmod_module 0x557b60617ec0 released
modprobe: DEBUG: ../libkmod/libkmod.c:421 kmod_pool_del_module() del 0x557b60617ec0 key='drm'
modprobe: INFO: ../libkmod/libkmod.c:334 kmod_unref() context 0x557b606174f0 released

I'll send the same logs but booting with GRUB.

cakehonolulu commented 1 year ago

Working (GRUB Booted) logs and related information:

$ nvidia-smi
Mon Mar  6 15:20:56 2023       
+---------------------------------------------------------------------------------------+
| NVIDIA-SMI 530.30.02              Driver Version: 530.30.02    CUDA Version: 12.1     |
|-----------------------------------------+----------------------+----------------------+
| GPU  Name                  Persistence-M| Bus-Id        Disp.A | Volatile Uncorr. ECC |
| Fan  Temp  Perf            Pwr:Usage/Cap|         Memory-Usage | GPU-Util  Compute M. |
|                                         |                      |               MIG M. |
|=========================================+======================+======================|
|   0  NVIDIA GeForce GTX 1050 w...    Off| 00000000:06:00.0 Off |                  N/A |
| N/A   44C    P8               N/A /  N/A|     54MiB /  3072MiB |      0%      Default |
|                                         |                      |                  N/A |
+-----------------------------------------+----------------------+----------------------+

+---------------------------------------------------------------------------------------+
| Processes:                                                                            |
|  GPU   GI   CI        PID   Type   Process name                            GPU Memory |
|        ID   ID                                                             Usage      |
|=======================================================================================|
|    0   N/A  N/A      2607      G   /usr/lib/xorg/Xorg                            4MiB |
|    0   N/A  N/A      2877    C+G   ...libexec/gnome-remote-desktop-daemon       45MiB |
+---------------------------------------------------------------------------------------+

Journalctl Log:


mar 06 15:18:50 CS3003NS kernel: integrity: Loaded X.509 cert 'nvidia-kernel-module: 7ee8a0fc73bb11a5fd198b02dca3abb686773e1f'
mar 06 15:18:56 CS3003NS kernel: nvidia: loading out-of-tree module taints kernel.
mar 06 15:18:56 CS3003NS kernel: nvidia: module license 'NVIDIA' taints kernel.
mar 06 15:18:56 CS3003NS kernel: nvidia-nvlink: Nvlink Core is being initialized, major device number 508
mar 06 15:18:56 CS3003NS kernel: nvidia 0000:06:00.0: enabling device (0006 -> 0007)
mar 06 15:18:56 CS3003NS kernel: nvidia 0000:06:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=none
mar 06 15:18:57 CS3003NS kernel: nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  530.30.02  Wed Feb 22 03:45:40 UTC 2023
mar 06 15:18:57 CS3003NS kernel: [drm] [nvidia-drm] [GPU ID 0x00000600] Loading driver
mar 06 15:18:58 CS3003NS audit[850]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=850 comm="apparmor_parser"
mar 06 15:18:58 CS3003NS audit[850]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=850 comm="apparmor_parser"
mar 06 15:18:58 CS3003NS kernel: audit: type=1400 audit(1678112338.239:7): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=850 comm="apparmor_parser"
mar 06 15:18:58 CS3003NS kernel: audit: type=1400 audit(1678112338.239:8): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=850 comm="apparmor_parser"
mar 06 15:18:58 CS3003NS kernel: [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:06:00.0 on minor 1
mar 06 15:18:58 CS3003NS kernel: nvidia_uvm: module uses symbols nvUvmInterfaceDisableAccessCntr from proprietary module nvidia, inheriting taint.
mar 06 15:18:58 CS3003NS kernel: nvidia-uvm: Loaded the UVM driver, major device number 506.
mar 06 15:18:58 CS3003NS nvidia-persistenced[1106]: Verbose syslog connection opened
mar 06 15:18:58 CS3003NS nvidia-persistenced[1106]: Now running with user ID 128 and group ID 136
mar 06 15:18:58 CS3003NS nvidia-persistenced[1106]: Started (1106)
mar 06 15:18:58 CS3003NS nvidia-persistenced[1106]: device 0000:06:00.0 - registered
mar 06 15:18:58 CS3003NS nvidia-persistenced[1106]: Local RPC services initialized
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (**) OutputClass "nvidia" ModulePath extended to "/usr/lib/x86_64-linux-gnu/nvidia/xorg,/usr/lib/xorg/modules"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Applying OutputClass "nvidia" to /dev/dri/card1
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]:         loading driver: nvidia
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (==) Matched nvidia as autoconfigured driver 0
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) LoadModule: "nvidia"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Loading /usr/lib/x86_64-linux-gnu/nvidia/xorg/nvidia_drv.so
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Module nvidia: vendor="NVIDIA Corporation"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Applying OutputClass "nvidia" options to /dev/dri/card1
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Loading sub module "glxserver_nvidia"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) LoadModule: "glxserver_nvidia"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Loading /usr/lib/x86_64-linux-gnu/nvidia/xorg/libglxserver_nvidia.so
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) Module glxserver_nvidia: vendor="NVIDIA Corporation"
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (WW) NVIDIA:     '/var/run/nvidia-xdriver-219b8aa5' Permission denied
mar 06 15:18:59 CS3003NS /usr/libexec/gdm-x-session[1438]: (II) NVIDIA(G0): [DRI2]   VDPAU driver: nvidia
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (**) OutputClass "nvidia" ModulePath extended to "/usr/lib/x86_64-linux-gnu/nvidia/xorg,/usr/lib/xorg/modules"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Applying OutputClass "nvidia" to /dev/dri/card1
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]:         loading driver: nvidia
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (==) Matched nvidia as autoconfigured driver 0
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) LoadModule: "nvidia"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Loading /usr/lib/x86_64-linux-gnu/nvidia/xorg/nvidia_drv.so
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Module nvidia: vendor="NVIDIA Corporation"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Applying OutputClass "nvidia" options to /dev/dri/card1
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Loading sub module "glxserver_nvidia"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) LoadModule: "glxserver_nvidia"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Loading /usr/lib/x86_64-linux-gnu/nvidia/xorg/libglxserver_nvidia.so
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) Module glxserver_nvidia: vendor="NVIDIA Corporation"
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (WW) NVIDIA:     '/var/run/nvidia-xdriver-603fc5c8' Permission denied
mar 06 15:19:09 CS3003NS /usr/libexec/gdm-x-session[2607]: (II) NVIDIA(G0): [DRI2]   VDPAU driver: nvidia
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:19:15 CS3003NS kernel: [drm:nv_drm_master_set [nvidia_drm]] *ERROR* [nvidia-drm] [GPU ID 0x00000600] Failed to grab modeset ownership
mar 06 15:20:10 CS3003NS nvidia-settings[5113]: g_object_unref: assertion 'G_IS_OBJECT (object)' failed
mar 06 15:20:10 CS3003NS nvidia-settings[5113]: PRIME: Requires offloading
mar 06 15:20:10 CS3003NS nvidia-settings[5113]: PRIME: is it supported? yes
mar 06 15:20:10 CS3003NS nvidia-settings[5113]: PRIME: Usage: /usr/bin/prime-select nvidia|intel|on-demand|query
mar 06 15:20:10 CS3003NS nvidia-settings[5113]: PRIME: on-demand mode: "1"

Manually loading one of the modules:

$ sudo modprobe nvidia -vvv
[sudo] password for cakehonolulu: 
modprobe: INFO: ../libkmod/libkmod.c:367 kmod_set_log_fn() custom logging function 0x55f3f60cdb30 registered
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.dep.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.symbols.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.builtin.alias.bin
modprobe: DEBUG: ../libkmod/libkmod-index.c:757 index_mm_open() file=/lib/modules/6.1.0-16-generic/modules.builtin.bin
modprobe: DEBUG: ../libkmod/libkmod-module.c:579 kmod_module_new_from_lookup() input alias=nvidia, normalized=nvidia
modprobe: DEBUG: ../libkmod/libkmod.c:597 kmod_search_moddep() use mmaped index 'modules.dep' modname=nvidia
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='nvidia' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:413 kmod_pool_add_module() add 0x55f3f7bcbe40 key='nvidia'
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='drm' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:405 kmod_pool_get_module() get module name='drm' found=(nil)
modprobe: DEBUG: ../libkmod/libkmod.c:413 kmod_pool_add_module() add 0x55f3f7bcbec0 key='drm'
modprobe: DEBUG: ../libkmod/libkmod-module.c:196 kmod_module_parse_depline() add dep: /lib/modules/6.1.0-16-generic/kernel/drivers/gpu/drm/drm.ko
modprobe: DEBUG: ../libkmod/libkmod-module.c:202 kmod_module_parse_depline() 1 dependencies for nvidia
modprobe: DEBUG: ../libkmod/libkmod-module.c:584 kmod_module_new_from_lookup() lookup=nvidia found=1
modprobe: DEBUG: ../libkmod/libkmod.c:502 lookup_builtin_file() use mmaped index 'modules.builtin' modname=nvidia
modprobe: DEBUG: ../libkmod/libkmod-module.c:469 kmod_module_unref() kmod_module 0x55f3f7bcbe40 released
modprobe: DEBUG: ../libkmod/libkmod.c:421 kmod_pool_del_module() del 0x55f3f7bcbe40 key='nvidia'
modprobe: DEBUG: ../libkmod/libkmod-module.c:469 kmod_module_unref() kmod_module 0x55f3f7bcbec0 released
modprobe: DEBUG: ../libkmod/libkmod.c:421 kmod_pool_del_module() del 0x55f3f7bcbec0 key='drm'
modprobe: INFO: ../libkmod/libkmod.c:334 kmod_unref() context 0x55f3f7bcb4f0 released
mikebeaton commented 1 year ago

Yeah let me have a look. My initial thought is that we're probably dealing with 'Doing signatures outside shim' from here https://ubuntu.com/blog/how-to-sign-things-for-secure-boot , but let me confirm. Secure boot as such was definitely working with OpenLinuxBoot, but I also don't think Signed Kernel Modules have been addressed.

mikebeaton commented 1 year ago

Your title is basically somewhat wrong, since we do fully support Secure Boot - for the kernel itself - and somewhat right: we don't support the MOK list at all yet.

Supporting MOK would be a feature enhancement. Possibly/probably a separate new driver for OpenCore.

As of now, without such a feature enhancement, you are indeed in the situation of needing to do the steps in 'Doing signatures outside shim' from https://ubuntu.com/blog/how-to-sign-things-for-secure-boot , to get something equivalent to (but not as simple to set up as) MOK.

cakehonolulu commented 1 year ago

Indeed!

Secure Boot has been working for a while; sorry for wrongly paraphrasing the title!

So basically the idea is to have a separate value ("Key in keyslot") for module signing related endeavours; at least for now.

Sounds doable, thanks for the input!

mikebeaton commented 1 year ago

@cakehonolulu -

I believe you could integrate Unix MOK management with OpenCore in exactly the same way described here for integrating it with rEFInd: https://www.rodsbooks.com/refind/secureboot.html#shim .

Perhaps you could give it a go and report back?

EDIT: As a quick update, I'm trying this and hitting some roadblocks, although this or an own-build of shim + MOK manager (in order to get MOK functionality before OpenCore instead of before GRUB) look somewhat promising. If you try any of this (or the previous own-key suggestion above) and get anywhere, do please report back.

cakehonolulu commented 1 year ago

Hello!

Indeed, signing kernel modules with my own UEFI db keys works marvelously, modules load again from OpenCore.

As for the second approach, I'll give it a try this weekend and report back.

Thanks for the inputs!

mikebeaton commented 1 year ago

Thanks.

Given that we have a viable work-around, I don't think the issue needs to remain open. But do please still report back here your results from the other method(s), as and when.

I'm planning to spend some more time trying out variants of the idea of using (own build of?) rhboot/shim (to get integration with native Linux MOK tools) and will also report back if I get that working.

mikebeaton commented 1 year ago

It is now possible to chainload OpenCore from shim - and possibly a good idea to do so, if you are including any third party secure boot signing keys, since if you keep shim up to date it will give SBAT protection against newly discovered security vulnerabilities that might otherwise be allowed by those keys. Chainloading in this way will also enable MOK support, when Secure Boot is enabled, though it's worth noting that if you enroll the default MOK setup for DKMS, this is not particularly secure.

Only recent builds of shim, above 15.7 (which is the current release) will load recent builds of OpenCore (0.8.8 and above), so for now you will have to do one of:

In order for any efi file including OpenCore.efi to be loaded directly by recent versions of shim while secure boot is enabled, an .sbat section must be added to the file before signing it (this only applies to any file which shim loads directly, so not OpenCore's driver files, which only need to be signed). As noted here and here, the documented method for adding an .sbat section to an already-linked .efi file does not actually work. This third party python script does work. Currently, a completely empty (e.g. touch sbat.csv) SBAT file can be used with this script - an empty .sbat section basically means: 'I'm not part of the system which allocates SBAT names and signs them into boot files, and I don't want this boot file to be revoked by any future SBAT revocations'. (Of course you can still revoke your own-signed boot files by rotating your own signing keys.)

You will have to re-run the SBAT script then re-sign OpenCore.efi every time you update OpenCore. (Additionally you should be using OpenCore vaulting if you want secure boot, so you will be redoing that at each update anyway.)

mikebeaton commented 1 year ago

This should be fully resolved (without requiring any alternative approaches as discussed above) by https://github.com/acidanthera/OpenCorePkg/pull/484 .