Tuesday, June 21, 2016

Module signing in Linux

Got xUbuntu 16.04 installed alongside with Windows 10 on UEFI with Secure Boot enabled and had to get 3rd party GPU drivers running so found this nice answer here.

Since kernel version 4.4.0-20, it was enforced that unsigned kernel modules will not be allowed to run with Secure Boot enabled. If you'd want to keep Secure Boot and also run these modules, then the next logical step is to sign those modules.

So let's try it.
  1. Create signing keys
    openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=descriptive name/"
  2. Sign the module
    sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der /path/to/module
  3. Register the keys to Secure Boot
    sudo mokutil --import MOK.der
    Supply a password for later use after reboot
  4. Reboot and follow instructions to Enroll MOK (Machine Owner Key). Here's a sample with pictures. The system will reboot one more time.
Please let me know if your modules would run this way on Ubuntu 16.04 (on kernel 4.4.0-21, I believe).

Resources: Detailed website article for Fedora and Ubuntu implementation of module signing.

One addition for the security-conscious: the private key MOK.priv generated by openssl -nodes as above is not protected by a password. Thus in principle, a rogue program could use it to sign a compromised module or even taint the bootloader, as your signing key now sits in hardware storage as a trusted key. A more secure solution is to omit the -nodes option. In step 1 openssl will then ask for a password to protect the private key. Before step 2, when signing, set the KBUILD_SIGN_PIN environment variable to the password you specified in step 1.

Wednesday, January 14, 2015

Enabling A2DP Bluetooth speakers for PulseAudio in xUbuntu 14.04

A little bit of masochism Linux-style

1. change settings in audio.conf:
2. enable Bluetooth in PulseAudio
sudo apt-get install pulseaudio-module-bluetooth
pulseaudio -k
pactl load-module module-bluetooth-device
pactl load-module module-switch-on-connect


Friday, November 14, 2014

Moving to Xubuntu

I've decided to completely move to Xubuntu 14.04 LTS as my main OS. My Windows 7 Home Premium is almost crushed under the weight of its own security updates, though I must admit it survided 3 years without reinstall, which is sort of a record to me, so cudos to M$ :)

Issues I have met so far:
  1. There is no good replacement for the MS Office. I desparately need Excel, Word, Powerpoint, Project and Visio for my work, so I'll go with corporate Windows 7 running on a VirtualBox VM
  2. Not sure if my 3G Huawei modem will work. Linux has detected it correctly, but still I have not succeeded to connect
  3. I have managed to connect to my company's VPN with AnyConnect client, but would like to migrate to the OpenConnnect integrated with NetworkManager. OpenConnect does not work correctly so far due to some issues with host scanning
  4. Evernote desktop client is not supported on Linux. I have to stick to the web version and use the desktop in the corporate Windows 7 running on a VM
  5. Google Drive desktop client is not supported on Linux. There are some replacements available, I'd like to stick to the one which integrates with Fuse but not yet succeeded
  6. Ubuntu 14.04 has a bug with 802.1x which is a bit annoying but possible to overcome
  7. I'd like to run a VM with interface to the corporate network trough VPN running on Linux. I have no idea yet how to configure it (IP tunnel? not sure)
  8. Connecting Bluetooth input devices required some hacking in HID autoconnect scripts
  9. Opera browser is available for Linux only in beta stage

Saturday, June 15, 2013

X10 is alive!

Just before my another trip to US I've decided to restore my ol' pal - SE Xperia X10, now with AOSP JB 4.2.2. After purchasing a brand new battery, here's what I got to install:
I have not installed any apps on top of that so I have it only as a 'data pipe' for my Galaxy Nexus (on UA SIM) and ... well ... as a phone, just to make calls :)

Monday, November 26, 2012

Sparse is dead?

Just noticed that Linux kenel sparse tool is not maintained well anymore. It has two repositories actually:
but unfortunately both are not seem to be supported anymore. In order to make my small program work with cgcc I had to apply few patches fixing GCC incompatibilities, but reviewing sparse code further I see lots of other issues; there are lots of fixing patches hanging in the internet, too. It's pity but this nice tool seem to be dead.

Update: sparse cannot even handle arrays of boolean, what a shame...

Sunday, November 18, 2012

Conky GUI on xUbuntu 12.04 and Oracle JDK 1.7

Recently I have found a nice tool to replace Gnome Screenlets on my XFCE desktop and provide all sorts of technical details - memory usage, CPU usage, IO load, network stats, etc. - Conky. It is highly flexible and provides a Lua interface and also whatever you can imagine for this kind of tool. More info on the project page or on the Wikipedia; you can find there good examples of config files, different tweaks and additional software.

Unfortunately, there is no GUI to write conky configuration scripts except Conky GUI which does not seem to be maintained anymore. Last thing was done in May 2012 when project has been moved to Github. The .deb package from the website didn't worked for me so I have decided to build my own version. It turned out that some minor fixes were needed to run it with Oracle JDK 1.7 and new JUnit, patches can be found here.

UPDATE: Amazing samples of Conky configuration!

Tuesday, July 10, 2012


While playing with Android libsensors virtual HW access I have decided not to torture my PandaBoard with soldering additional serial port (note it has only one with console connected to it by default) and use some sort of a virtual serial port instead connected to real HW over the network:

After googling a while I have found a nice tool 'socat' that allows to... well, it can do almost everything, checkout on the project website: http://www.dest-unreach.org/socat/

It only turned out that Android build script has a minor bug in it I had to fix (see below 'android_termios_shift_fix.patch') and also there is a problem with PTYs support. By default openpty() and other related functions are absent in Bionic library, while Linux kernel configuration used in Android implements UNIX98 PTYs. In order to get my small system working I have ported openpty() function from uClibc which seemed to be quite enough for socat to get it working. The 'enable_android_pty.patch' adds an 'openpty.c' file to the build and modifies Android build script to perform following changes when it is invoked:
 - enable HAVE_OPENPTY and HAVE_GRANTPT features in config.h
 - add openpty.c to the Makefile
Actually this is a quick-n-dirty solution: it produces a warning for openpty() since no pty.h header exist, the port itself is a license violation, etc., but I don't really care at the moment - the whole 'socat_buildscript_for_android.sh' distributed with socat is a dirty hack.

So I've got everything working and I can also capture and analyze packets going trough serial port with Wireshark by just writing a simple dissector! sweeeeet...

Patches are available here.

Socat is used on host (sandbox) with following command:
socat tcp-l:54321,reuseaddr,fork /dev/ttyS0,raw,b115200,echo=0
and on panda with:
socat pty,link=/dev/ttyS0,raw,echo=0 tcp:sandbox:54321

Wednesday, October 26, 2011

KS2011: Patch review (by LWN.net)

I have read an interesting article by Jonathan Corbet on the "patch review" session on 2011 Kernel Summit. Needless to say, patch review process in both open-source and proprietary projects is a very interesting and challenging topic, especially when it goes to a big software systems with thousands people working on them. While reading the article I have found a point not really relevant to the review process, but very interesting from the prioritization POV
As one might imagine, the discussion became rather unfocused and fragmented for a while. It came back together when Linus took the microphone and stated that, simply, code that actually is used is the code that is actually worth something. The Android code is certainly being used; the in-kernel code aimed at the same problems is just a vague idea that is worthless in comparison. We should, he said, consider merging suspend blockers as a real option. Even if it truly is crap, we've had crap in the kernel before. The code does not get any better out of tree. Alan Cox agreed that it is probably a good idea to merge that code. The interface is important and has a lot of users; getting the code merged is the best way to fix the implementation. Ingo also agreed, saying that when code has millions of users, we have to say "yes" to it. 
This is a really interesting statement, I do fully support it. It does not neglect the need to improve code quality with time - it only sets priority. It is really weird that so many people (including really good software engineers) do not understand this...