Kernel module signing not persistent after rebooting Ubuntu host
Re: Kernel module signing not persistent after rebooting Ubuntu host
Plus - another uncertaintly which struck me, after I had posted that post, is that I'd previously concluded the file vboxdrv.sh gets run at boot time, so I became confused whether the evidence I was presenting was in fact relevant.
Re: Kernel module signing not persistent after rebooting Ubuntu host
Doing a little more research here to clean up one loose end. A fresh installation of Linux Mint (Mate "flavor") contains a mok directory at /var/lin/shim-signed, with files MOK.der, MOK.prov, and .rnd. A fresh installation of Ubuntu contains a mok directory at /var/lin/shim-signed, with nothing in it.
Linux Mint provides a way of reading the installation-installed file MOK.der in human-readable form, and using that tool it looks pretty much identical to what was revealed on your system using the modinfo command. As far as I can tell, there is no equivalent tool included with Ubuntu.
The first word of the "signer" field of the Linux Mint MOK.der file appears to be the Environment Variable $HOSTNAME, concatenated in.
Linux Mint provides a way of reading the installation-installed file MOK.der in human-readable form, and using that tool it looks pretty much identical to what was revealed on your system using the modinfo command. As far as I can tell, there is no equivalent tool included with Ubuntu.
The first word of the "signer" field of the Linux Mint MOK.der file appears to be the Environment Variable $HOSTNAME, concatenated in.
-
- Volunteer
- Posts: 5677
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: Kernel module signing not persistent after rebooting Ubuntu host
On Ubuntu with the OpenSSL library installed, you could use the following command to view the certificate's content (when the file exists, of course ):milverton wrote:Linux Mint provides a way of reading the installation-installed file MOK.der in human-readable form, and using that tool it looks pretty much identical to what was revealed on your system using the modinfo command. As far as I can tell, there is no equivalent tool included with Ubuntu.
Code: Select all
openssl x509 -inform DER -in /var/lib/shim-signed/mok/MOK.der -text -noout
Re: Kernel module signing not persistent after rebooting Ubuntu host
Thank you, fth0, for posting that command - I've found it useful a number of times!