Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Boot OS Support (mainly Linux) for Jool #431

Open
Ttfgggf opened this issue Dec 27, 2024 · 2 comments
Open

Secure Boot OS Support (mainly Linux) for Jool #431

Ttfgggf opened this issue Dec 27, 2024 · 2 comments

Comments

@Ttfgggf
Copy link

Ttfgggf commented Dec 27, 2024

I know this is a request that will take some time or may not be possible due to its nature.
I would like to see if it is possible to enable Secure Boot OS Support for Jool.
I just tried running it on Debian (with SE enabled) and it didn't allow it.
So I had to turn it off to get Jool to work.
@ydahhrk
Copy link
Member

ydahhrk commented Feb 26, 2025

Well... I'm not sure if I understand this perfectly, but... I'll try to talk, feel invited to correct me:

It seems this involves signing the module. Thing is... I think you're supposed to do that yourself. You decide what your computer trusts and what it doesn't; not me. I don't (and shouldn't) have authority.

https://wiki.ubuntu.com/UEFI/SecureBoot:

Custom-built modules will require the user to take the necessary steps to sign the modules before they loading them is allowed by the kernel. This can be achieved by using the 'kmodsign' command [see {How to sign} section].

Unsigned modules are simply refused by the kernel. Any attempt to insert them with insmod or modprobe will fail with an error message.

Given that many users require third-party modules for their systems to work properly or for some devices to function; and that these third-party modules require building locally on the system to be fitted to the running kernel, Ubuntu provides tooling to automate and simplify the signing process.

The "How to sign" section seems to be this:

kmodsign is used exclusively to sign kernel modules (...). Conveniently, if you need to use DKMS modules, an appropriate certificate may already exist in /var/lib/shim-signed/mok.

To sign a custom module, in this example with the generated MOK already available on a system:

kmodsign sha512 \
    /var/lib/shim-signed/mok/MOK.priv \
    /var/lib/shim-signed/mok/MOK.der \
    module.ko

I do have those files /var/lib/shim-signed/mok, but I suspect they might be different from yours. If I generate a signature, I'd expect it not to work on your system.

Alternatively, I think the only way to fix this would be to upstream some version of Jool into Linux. FWIW, this is actually an ongoing effort here.

@ydahhrk
Copy link
Member

ydahhrk commented Feb 27, 2025

BTW: Jool is actually three modules. You'll probably want to sign all three of them:

$ ls -1 /lib/modules/6.1.0-28-amd64/updates/dkms/
jool_common.ko
jool.ko
jool_siit.ko

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ydahhrk @Ttfgggf