Your message dated Thu, 4 Jan 2024 01:02:26 +0100
with message-id <[email protected]>
and subject line Re: dkms: upgrade to 2.8.7 breaks existing MOK file signing
under certain circumstances.
has caused the Debian Bug report #999467,
regarding dkms: upgrade to 2.8.7 breaks existing MOK file signing under certain
circumstances.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
999467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999467
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dkms
Version: 2.8.7-2
Severity: important
Dear Maintainers,
first of all thanks for maintaining dkms!
I ran into an issue, that took me a while to figure out it was actually
caused by an update of dkms. I have secure boot enabled on my system,
thus i have to sign my kernel modules as described on
https://wiki.debian.org/SecureBoot.
I am using the shipped /etc/dkms/sign_helper.sh from the package, and
created the MOK files as described in the wiki, with the paths and names
used in the sign_helper.sh. I enabled the sign_helper.sh in
framework.conf.
In the mean time it seems, that beween versions 2.8.4 and 2.8.7 the
content of sign_helper.sh changed. As sign_helper.sh itself wasn't
changed on my system, Debian's conffile mechanism didn't detect, that
newer versions of that file has different path/filename combination of
the files mentioned in sign_helper.sh.
During the upgrade process itself I did not catch that DKMS sign_helper
is complaining about the missing keys.
All i saw was an error message for the first DKMS modules build, telling
me
> You cannot add the same module/version combo more than once.
The error messages look VERY similar as in #842596.
In the end, rm'ing all module directories in /var/lib/dkms and renaming
the MOK files plus a rebuild of all modules helped.
One may argue if the severity is normal or important, but my guess is,
that i am not the only one using the filenames as in sign_helper.sh, and
this may break other installations too. Feel free to downgrade the
bugreport if you are not in line with me here.
Maybe it would be helpful, to mention this change in NEWS.Debian? Or at
least in the changelog of the package?
Best regards,
Martin
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.14.0-4-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dkms depends on:
ii build-essential 12.9
ii coreutils 8.32-4.1
ii dctrl-tools 2.24-3+b1
ii dpkg-dev 1.20.9
ii gcc [c-compiler] 4:11.2.0-2
ii gcc-10 [c-compiler] 10.3.0-12
ii gcc-11 [c-compiler] 11.2.0-10
ii kmod 29-1
ii lsb-release 11.1.0
ii make 4.3-4.1
ii patch 2.7.6-7
Versions of packages dkms recommends:
ii fakeroot 1.26-1
ii linux-headers-amd64 [linux-headers-generic] 5.14.16-1
ii sudo 1.9.5p2-3
Versions of packages dkms suggests:
ii e2fsprogs 1.46.4-1
pn menu <none>
-- Configuration Files:
/etc/dkms/framework.conf changed:
sign_tool="/etc/dkms/sign_helper.sh"
-- no debconf information
--
Martin Zobel-Helas <[email protected]>
Debian & GNU/Linux Developer Debian Listmaster
http://about.me/zobel Debian Webmaster
GPG Fingerprint: 6B18 5642 8E41 EC89 3D5D BDBB 53B1 AC6D B11B 627B
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 3.0.11-2
On Thu, 11 Nov 2021 14:07:29 +0100 Martin Zobel-Helas <[email protected]>
wrote:
I am using the shipped /etc/dkms/sign_helper.sh from the package, and
This is no longer shipped by dkms.
> You cannot add the same module/version combo more than once.
The error messages look VERY similar as in #842596.
There is now protection againt this bug (dkms database corruption
because of an empty variable caused files being placed in a path with
fewer directory levels than planned) and cleanup code in the postinst to
recover from dkms database corruption.
Andreas
--- End Message ---
