Hello Mathieu, or anyone else affected, Accepted dkms into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/2.2.0.3-2ubuntu11.6 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: dkms (Ubuntu Xenial) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1748983 Title: Generate per-machine MOK for dkms signing Status in dkms package in Ubuntu: Fix Released Status in shim-signed package in Ubuntu: Fix Released Status in dkms source package in Xenial: Fix Committed Status in shim-signed source package in Xenial: Fix Committed Bug description: [SRU Justification] Move to using self-signed keys for signing DKMS modules, along with the wizard / guide to make this work properly, to let third-party modules be signed and loaded by enforcing kernels, rather than disabling Secure Boot altogether. [Test case] 1) Install Ubuntu in UEFI mode. 2) Install bbswitch-dkms (or another -dkms package if useful on your system). 3) Follow the steps in the debconf prompts (enter a password, remember the password for next boot). 4) Reboot; follow the steps in MokManagerL 4a) Pick Enroll MOK: add the new key, enter the password when prompted to do so. 4b) If a dkms package was previously installed on the system (so Secure Boot is currently disabled in shim), pick "Change Secure Boot state". Follow the prompts to enter password characters. The option will only show up if Secure Boot validation was found to be disabled. 5) Pick "Reboot". 6) Log in and verify that the dkms module is loaded, using "lsmod | grep <module>". 7) Run 'modprobe <module>' to validate that the module can be loaded explicilty. 8) Validate that there are no errors from modprobe or errors in dmesg concerning signing keys. [Regression potential] If anything currently relies on Secure Boot validation being disabled in order to correctly run with an enforcing kernel, or grub is used in enforcing mode, custom / third-party kernels and modules may fail to load. --- shim-signed's update-secureboot-policy should allow creating a machine-owner key, and using this for signing kernel modules built via DKMS. Key generation and enrolling should be made as easy as possible for users. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1748983/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
