Package: dkms
Version: 3.0.6-2
Followup-For: Bug #1019425
Control: tags -1 patch
The dkms script has several flaw that forbid module signing:
- Debian, contrary to ubuntu, does not have kmodsign
sign-file from the kernel should be directly used
- the script logic was wrong (if [[ -x "$(command -v XXX) ]]; then XXX missing
; fi => this is the reverse)
- debian update-secureboot-policy does not accept/use the --new-key and
--enroll-key options (contrary to ubuntu?)
So, here is the patch I applied to dkms on my system in order to get module
signing back.
Note that:
- the part of the patch to generate and enroll the key should be carefully
checked
(I already have keys so I do not test this part of the patch)
Perhaps, "mokutil --import KEY" should be run after checking that the key is
not already enrolled
- on upgrade, if a user previously make module signing with its own
sign_tool/sign_helper.sh,
the key is not necessarly at the default expected place (/var/lib/dkms)
- perhaps, it would be better in Debian to put the key by default in
/etc/dkms/keys/ instead of /var/lib/dkms/ (the current default set in the
dkms script)
Regards
Vincent
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'),
(500, 'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel
Kernel: Linux 5.18.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dkms depends on:
ii build-essential 12.9
ii clang-11 [c-compiler] 1:11.1.0-6+b2
ii clang-13 [c-compiler] 1:13.0.1-7
ii clang-14 [c-compiler] 1:14.0.6-2
ii clang-9 [c-compiler] 1:9.0.1-20+b1
ii dctrl-tools 2.24-3+b1
ii dh-dkms 3.0.6-2
ii dpkg-dev 1.21.9
ii gcc [c-compiler] 4:12.2.0-1
ii gcc-10 [c-compiler] 10.4.0-5
ii gcc-11 [c-compiler] 11.3.0-6
ii gcc-12 [c-compiler] 12.2.0-2
ii gcc-9 [c-compiler] 9.5.0-2
ii kmod 30+20220630-3
ii lsb-release 11.2
ii make 4.3-4.1
ii patch 2.7.6-7
Versions of packages dkms recommends:
ii fakeroot 1.29-1
ii linux-headers-amd64 [linux-headers-generic] 5.19.6-1
ii sudo 1.9.11p3-1
Versions of packages dkms suggests:
ii e2fsprogs 1.46.5-2
ii menu 2.1.49
-- no debconf information
--- usr/sbin/dkms 2022-09-07 12:27:13.000000000 +0200
+++ /usr/sbin/dkms 2022-09-12 21:43:27.006384862 +0200
@@ -897,14 +897,14 @@
echo "Public certificate (MOK): $mok_certificate"
case "$running_distribution" in
- debian* | ubuntu* )
+ ubuntu* )
- if [[ -x "$(command -v kmodsign)" ]]; then
- echo "Binary kmod-sign not found, modules won't be signed"
+ if [[ ! -x "$(command -v kmodsign)" ]]; then
+ echo "Binary kmodsign not found, modules won't be signed"
return
fi
- if [[ -x "$(command -v update-secureboot-policy)" ]]; then
+ if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then
echo "Binary update-secureboot-policy not found, modules won't
be signed"
return
fi
@@ -917,6 +917,33 @@
fi
;;
+ debian* )
+
+ if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then
+ echo "Binary sign-file not found, module won't be signed"
+ return
+ fi
+
+ if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then
+ echo "Binary update-secureboot-policy not found, modules won't
be signed"
+ return
+ fi
+
+ do_signing=1
+
+ if [[ "$sb_state" == "SecureBoot is enabled" ]]; then
+ if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"*
) || ! -f $mok_certificate ]]; then
+ echo "Certificate or key are missing, generating self
signed certificate for MOK..."
+ openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS
module signing key" \
+ -newkey rsa:2048 -keyout $mok_signing_key \
+ -outform DER -out $mok_certificate > /dev/null 2>&1
+ openssl x509 -in $mok_certificate -out
/var/lib/dkms/mok.der -outform DER
+ mokutil --import /var/lib/dkms/mok.der
+ rm /var/lib/dkms/mok.der
+ fi
+ fi
+
+ ;;
*)
if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then
@@ -924,7 +951,7 @@
return
fi
- if ( [ ! -f $mok_signing_key ] && [[ ! "$mok_signing_key" == *":"*
]] ) || [ ! -f $mok_certificate ]; then
+ if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"* )
|| ! -f $mok_certificate ]]; then
echo "Certificate or key are missing, generating self signed
certificate for MOK..."
openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS
module signing key" \
-newkey rsa:2048 -keyout $mok_signing_key \
@@ -1051,11 +1078,11 @@
if [ -n "${do_signing}" ]; then
echo "Signing module $built_module"
case "$running_distribution" in
- debian* | ubuntu* )
+ ubuntu* )
kmodsign sha512 $mok_signing_key $mok_certificate
"$built_module"
;;
*)
- eval '"$sign_file" sha512 "$mok_signing_key"
"$mok_certificate" "$built_module"'
+ "$sign_file" sha512 "$mok_signing_key" "$mok_certificate"
"$built_module"
;;
esac
fi
