Ubuntu – Module “ashmem” doesn’t load with Secure Boot on (but “binder” does load with secure boot on)

anboxkernelmodprobesecure-boot

Summary

I'm running Ubuntu 20.04.1 with default kernel 5.4.0-42-generic (installed from Main) on a UEFI system. I want to load two kernel modules ("ashmem" and "binder") with Secure Boot enabled. At least for me, "binder" loads fine with Secure Boot enabled, but "ashmem" does not load with Secure Boot enabled. Both modules load with Secure Boot disabled.

Details

Kernel Packages (installed from Main)

  • linux-headers-5.4.0-42

  • linux-headers-5.4.0-42-generic

  • linux-image-5.4.0-42-generic

  • linux-modules-5.4.0-42-generic

  • linux-modules-extra-5.4.0-42-generic

Secure Boot disabled

With Secure Boot disabled, I can load the module "ashmem" using the following:

sudo modprobe ashmem_linux

Moreover, with Secure Boot disabled, I can load the module "binder" using the following:

sudo modprobe binder_linux

So, all is good with Secure Boot disabled.

Secure Boot enabled

With Secure Boot enabled, I can not load the module "ashmem" using the following:

sudo modprobe ashmem_linux

Upon attempting to do so, I get the following:

modprobe: ERROR: could not insert 'ashmem_linux': Operation not permitted

However, even with Secure Boot enabled, I can still load the module "binder" without any problem using the following:

sudo modprobe binder_linux

So, I'm puzzled why "binder" loads with Secure Boot enabled, but "ashmem" does not load with with Secure Boot enabled.

And for what it's worth, I haven't had any other problems using Secure Boot.

Questions

  1. Is there a way to force "ashmem" to load with Secure Boot enabled?

  2. Is the inability to load "ashmem" with Secure Boot enabled a feature
    or a bug?

  3. And if it is a bug, where on Launchpad would be the best
    place to report the bug?

Addendum

To the above, I’ll add that I had enabled Secure Boot (and enrolled MOK) during the initial clean installation of Ubuntu 20.04. Even so, following the excellent suggestion provided by Rinzwind, I ran the following after the initial installation:

sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko

And after running the above, I re-ran:

sudo modprobe ashmem_linux

sudo modprobe binder_linux

lsmod | grep -e ashmem_linux -e binder_linux

SUCCESS! Both “ashmem” and “binder” loaded! Thanks Rinzwind!!

What’s more, Anbox starts for me now with Secure Boot enabled, which was my end goal. 🙂

Given that both “ashmem” and “binder” now load for me with Secure Boot enabled, I’m marking this question as ANSWERED. However, I noticed another error regarding the “binder” module. For those interested, I posted a question related to that error here.

Best Answer

  • You need to sign the module. Looks like it can be done with:

    kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/`uname -r`/kernel/drivers/staging/android/ashmem_linux.ko