Debian Bug #989463 - Secure Boot 😠 - Can't load certificate

[RENANZG]

I don't know who to turn to so I found this repository (repository of experts...). I'm learning how to use linux (and almost becoming an software engineer... im so tired...).

I still can't sign the Kernel in Secure Boot or the wifi module.

As for the kernel:

user@debian:~$ sudo ls /var/lib/shim-signed/mok/
MOK.der  MOK.pem  MOK.priv
user@debian:~$ sudo ls /boot
config-6.1.0-10-amd64      keyfile.gpg
config-6.1.0-11-amd64      lost+found
efi                        System.map-6.1.0-10-amd64
grub                       System.map-6.1.0-11-amd64
initrd.img-6.1.0-10-amd64  vmlinuz-6.1.0-10-amd64
initrd.img-6.1.0-11-amd64  vmlinuz-6.1.0-11-amd64
user@debian:/boot$ sudo sbverify --cert /var/lib/shim-signed/mok/MOK.crt /boot/vmlinuz-6.1.0-11-amd64
Can't load certificate from file '/var/lib/shim-signed/mok/MOK.crt'
40A7D7391F7F0000:error:80000002:system library:BIO_new_file:No such file or directory:../crypto/bio/bss_file.c:67:calling fopen(/var/lib/shim-signed/mok/mok.crt, r)
40A7D7391F7F0000:error:10000080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:75:
user@debian:~$ sudo modinfo /boot/vmlinuz-6.1.0-11-amd64
modinfo: ERROR: Module /boot/vmlinuz-6.1.0-11-amd64 not found.

user@debian:~$ sudo sbverify --list /boot/vmlinuz-6.1.0-11-amd64
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2022 - linux
   issuer:  /CN=Debian Secure Boot CA
signature 2
image signature issuers:
 - /CN=user
image signature certificates:
 - subject: /CN=user
   issuer:  /CN=user
user@debian:~$ sudo sbverify --list /boot/vmlinuz-6.1.0-10-amd64
signature 1
image signature issuers:
 - /CN=Debian Secure Boot CA
image signature certificates:
 - subject: /CN=Debian Secure Boot Signer 2022 - linux
   issuer:  /CN=Debian Secure Boot CA

As for wifi:

user@debian:~$ sudo modprobe rtw_8723du
modprobe: ERROR: could not insert 'rtw_8723du': Key was rejected by service
user@debian:~$ sudo modinfo rtw_8723du 
filename:       /lib/modules/6.1.0-11-amd64/kernel/drivers/net/weless/realtek/rtw88/rtw_8723du.ko
license:        Dual BSD/GPL
description:    Realtek 802.11n wireless 8723du driver
author:         Hans Ulli Kroll <linux@ulli-kroll.de>
alias:          usb:v7392pD611d*dc*dsc*dp*icFFiscFFipFFin*
alias:          usb:v0BDApD723d*dc*dsc*dp*icFFiscFFipFFin*
depends:        rtw_usb,usbcore,rtw_8723d
retpoline:      Y
name:           rtw_8723du
vermagic:       6.1.0-11-amd64 SMP preempt mod_unload modversion

user@debian:~$ sudo dmesg | grep  cert 
[    2.178399] Loading compiled-in X.509 certificates
[    2.204942] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    2.204969] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f'
[    2.213359] integrity: Loading X.509 certificate: UEFI:db
[    2.213408] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[    2.213410] integrity: Loading X.509 certificate: UEFI:db
[    2.213435] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[    2.215204] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.215485] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    2.215487] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.215745] integrity: Loaded X.509 cert 'user: 7a9d69f5051c39fe7b84587f816603db9499cec6'
[    2.215746] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[    2.216001] integrity: Loaded X.509 cert 'Custom MOK: 612c79bd5af57aebc802fb2f51dd54d4c4382d41'
[  109.634564] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[  109.634859] cfg80211: Loaded X.509 cert 'benh@debian.org: 577e021cb980e0e820821ba7b54b4961b8b4fadf'
[  109.635145] cfg80211: Loaded X.509 cert 'romain.perier@gmail.com: 3abbc6ec146e09d1b6016ab9d6cf71dd233f0328'
[  109.635465] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'

I had already reported here, but no solution: Make sign-install - Debian 12 - linux-headers-6.1.0-11-amd64 #159 https://github.com/lwfinger/rtw88/issues/159

He said:

After you sign and install the modules FOR THE FIRST TIME, you need to take special care to watch for the MOK bluescreen when you reboot. If you miss it, or dismiss it, you do not get another chance to enroll that key. You will need to do some Internet research to see how to recover, or just turn secure boot off! Micro$oft really screwed this whole MOK stuff up badly.

And reported here, but no solutions: [Not Solved] Secure boot error - Can't load key - Permission denied https://forums.debian.net/viewtopic.php?p=780025#p780025

THANKS !!!!

[RENANZG]

[b]I'm pretty sure it has to do with DKMS, as the Debian Wiki tutorial confused me. [/b]

Some possible causes:

1. Cause:: Kernel module was at two different locations. I found this strange situation:

   user@debian:~$ sudo ls /lib/modules/
   6.1.0-10-amd64  6.1.0-11-amd64
   user@debian:~$ sudo ls /var/lib/dkms
   user@debian:~$ sudo ls /boot
   config-6.1.0-10-amd64      keyfile.gpg
   config-6.1.0-11-amd64      lost+found
   efi                        System.map-6.1.0-10-amd64
   grub                       System.map-6.1.0-11-amd64
   initrd.img-6.1.0-10-amd64  vmlinuz-6.1.0-10-amd64
   initrd.img-6.1.0-11-amd64  vmlinuz-6.1.0-11-amd64

   user@debian:~$ sudo modprobe -v rtw_8723du
   insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_usb.ko 
   modprobe: ERROR: could not insert 'rtw_8723du': Key was rejected by service

   Other signated driver "de", much more estrange:

   user@debian:~$ sudo modprobe -v rtw_8723de
   insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_pci.ko 
   insmod /lib/modules/6.1.0-11-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723de.ko  
   user@debian:~$ sudo modprobe -v rtw_8723de
   ????????????SHOW ONLY ONE TIME?????????????????????????

2. Cause: need to create a X.509 key pair (a public key and a corresponding secret key) to use as a MOK.

3. Cause: Error with DKMS "With the current state of the DKMS package, if a user attempts to install any package that includes a third-party driver (Broadcom WiFi, VirtualBox, v4l2loobpack, etc.), the process of signing the newly built driver with a MOK key will fail silently. This means that any packages and hardware that require third-party drivers are currently unusable on a system with Secure Boot. This bug has been tested and verified to occur with the bcmwl-kernel-source package, but also is very likely to affect any other packages that use DKMS modules."

I think I'll try to do everything from scratch (again).

Hihi, I found a friend of yours: https://github.com/lcp/mokutil

References: https://askubuntu.com/questions/1437877/signed-kernel-module-not-accepted https://unix.stackexchange.com/questions/751517/insmod-causes-key-rejected-by-service https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1991725 https://bugs.launchpad.net/ubuntu/+source/v4l2loopback/+bug/1991584 https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655

[RENANZG]

Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463

[julian-klode]

Neither is this a bug in shim nor is this a support forum for how to sign third-party kernel modules, so closing.

[RENANZG]

You maintain an important repository for Linux and its philosophy of freedom (or for corporate servers?). So, it is necessary to adopt standards, or guidelines, for Linux distributions from the beginning (literally from the "bootloader") that guarantee a more user-friendly use for the common user.

The Unix philosophy is documented by Doug McIlroy[1] in the Bell System Technical Journal from 1978:[2]

1. Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new "features".
2. Expect the output of every program to become the input to another, as yet unknown, program. Don't clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don't insist on interactive input.
3. Design and build software, even operating systems, to be tried early, ideally within weeks. Don't hesitate to throw away the clumsy parts and rebuild them.
4. Use tools in preference to unskilled help to lighten a programming task, even if you have to detour to build the tools and expect to throw some of them out after you've finished using them.

Thanks