On Thu, 27 Oct 2022 20:31:47 +0200, Maurizio Avogadro <mav...@gmail.com>
wrote:> Hi Siddh
>
> since dkms is supposed to run as root, it's not clear to me which keyring is
> the signing key passphrase going to be stored to. I definitely wouldn't
> recommend running Gnome/KDE keyrings as root, and user keyrings seem to be
> unreachable via D-bus in a console where root has been gained with su
I used libsecret (which is used as backend by the Python program named keyring),
with the keyring being stored as root (isn't visible outside root in seahorse).
Can you tell why that may be a bad idea?
Anyways, the main point was that one can use a bash script. The keyring usage
was just a personal config choice for convenience, one can use other methods
for getting the passphrase from the user.
> BTW, by adding a configuration snippet in /etc/dkms/framework.conf.d/
> containing
>
> export KBUILD_SIGN_PIN='my_mok_key_pin'
>
> (permissions 600 recommended) seems to work
I won't really want to store password in plaintext...
> (given the kernel you are running
> is configured to use the SHA512 hash algorithm; official Debian kernels use
> SHA256 [1]).
I didn't know that, thanks.
> We also have to face the problem that only official Debian kernels store the
> sign-file executable in
>
> /usr/lib/linux-kbuild-${kernelver%.*}/scripts/
>
> where dkms looks in Debian: Xanmod and Liquorix for example store this file in
>
> /usr/src/linux-headers-${kernelver}/scripts/
>
> but this path can't be easily changed in current dkms version (v3.0.6-4)
> because the $kernelver variable isn't available when sourcing the
> configuration
> files; dkms in current master tree fixed this issue by adding a fallback to
>
> /lib/modules/${kernelver}/build/scripts/
>
> in distro detection code, which makes signing work with any kernel I could
> test
> till now.
What I pointed out was setting sign_file to a bash script. It would solve this
issue too, as the correct path to the actual sign_file binary could be used in
the bash script / handler. dkms would call the bash script with its arguments,
and the script will call the correct binary (passing the arguments to it), as
$kernelver variable would be available to the script.
Also, v3.0.6-4 seems to have the fallback you mentioned. Refer:
https://salsa.debian.org/debian/dkms/-/blob/debian/3.0.6-4/dkms.in#L870
Thanks,
Siddh
