Module "ashmem" doesn't load with Secure Boot on (but "binder" does load with secure boot on)
Summary
I'm running Ubuntu 20.04.1 with default kernel 5.4.0-42-generic (installed from Main) on a UEFI system. I want to load two kernel modules ("ashmem" and "binder") with Secure Boot enabled. At least for me, "binder" loads fine with Secure Boot enabled, but "ashmem" does not load with Secure Boot enabled. Both modules load with Secure Boot disabled.
Details
Kernel Packages (installed from Main)
-
linux-headers-5.4.0-42
-
linux-headers-5.4.0-42-generic
-
linux-image-5.4.0-42-generic
-
linux-modules-5.4.0-42-generic
-
linux-modules-extra-5.4.0-42-generic
Secure Boot disabled
With Secure Boot disabled, I can load the module "ashmem" using the following:
sudo modprobe ashmem_linux
Moreover, with Secure Boot disabled, I can load the module "binder" using the following:
sudo modprobe binder_linux
So, all is good with Secure Boot disabled.
Secure Boot enabled
With Secure Boot enabled, I can not load the module "ashmem" using the following:
sudo modprobe ashmem_linux
Upon attempting to do so, I get the following:
modprobe: ERROR: could not insert 'ashmem_linux': Operation not permitted
However, even with Secure Boot enabled, I can still load the module "binder" without any problem using the following:
sudo modprobe binder_linux
So, I'm puzzled why "binder" loads with Secure Boot enabled, but "ashmem" does not load with with Secure Boot enabled.
And for what it's worth, I haven't had any other problems using Secure Boot.
Questions
-
Is there a way to force "ashmem" to load with Secure Boot enabled?
-
Is the inability to load "ashmem" with Secure Boot enabled a feature or a bug?
-
And if it is a bug, where on Launchpad would be the best place to report the bug?
Addendum
To the above, I’ll add that I had enabled Secure Boot (and enrolled MOK) during the initial clean installation of Ubuntu 20.04. Even so, following the excellent suggestion provided by Rinzwind, I ran the following after the initial installation:
sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko
And after running the above, I re-ran:
sudo modprobe ashmem_linux
sudo modprobe binder_linux
lsmod | grep -e ashmem_linux -e binder_linux
SUCCESS! Both “ashmem” and “binder” loaded! Thanks Rinzwind!!
What’s more, Anbox starts for me now with Secure Boot enabled, which was my end goal. :)
Given that both “ashmem” and “binder” now load for me with Secure Boot enabled, I’m marking this question as ANSWERED. However, I noticed another error regarding the “binder” module. For those interested, I posted a question related to that error here.
Solution 1:
You need to sign the module. Looks like it can be done with:
kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko