Kernel module signing not persistent after rebooting Ubuntu host

Discussions related to using VirtualBox on Linux hosts.
milverton
Posts: 48
Joined: 17. Apr 2022, 22:25

Re: Kernel module signing not persistent after rebooting Ubuntu host

Post by milverton »

Plus - another uncertaintly which struck me, after I had posted that post, is that I'd previously concluded the file vboxdrv.sh gets run at boot time, so I became confused whether the evidence I was presenting was in fact relevant.
milverton
Posts: 48
Joined: 17. Apr 2022, 22:25

Re: Kernel module signing not persistent after rebooting Ubuntu host

Post by milverton »

Doing a little more research here to clean up one loose end. A fresh installation of Linux Mint (Mate "flavor") contains a mok directory at /var/lin/shim-signed, with files MOK.der, MOK.prov, and .rnd. A fresh installation of Ubuntu contains a mok directory at /var/lin/shim-signed, with nothing in it.

Linux Mint provides a way of reading the installation-installed file MOK.der in human-readable form, and using that tool it looks pretty much identical to what was revealed on your system using the modinfo command. As far as I can tell, there is no equivalent tool included with Ubuntu.

The first word of the "signer" field of the Linux Mint MOK.der file appears to be the Environment Variable $HOSTNAME, concatenated in.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Kernel module signing not persistent after rebooting Ubuntu host

Post by fth0 »

milverton wrote:Linux Mint provides a way of reading the installation-installed file MOK.der in human-readable form, and using that tool it looks pretty much identical to what was revealed on your system using the modinfo command. As far as I can tell, there is no equivalent tool included with Ubuntu.
On Ubuntu with the OpenSSL library installed, you could use the following command to view the certificate's content (when the file exists, of course ;)):

Code: Select all

openssl x509 -inform DER -in /var/lib/shim-signed/mok/MOK.der -text -noout
milverton
Posts: 48
Joined: 17. Apr 2022, 22:25

Re: Kernel module signing not persistent after rebooting Ubuntu host

Post by milverton »

Thank you, fth0, for posting that command - I've found it useful a number of times!
Post Reply