Package: dkms
Version: 3.0.6-2
Followup-For: Bug #1019425
Control: tags -1 patch
  The dkms script has several flaw that forbid module signing:
- Debian, contrary to ubuntu, does not have kmodsign
  sign-file from the kernel should be directly used
- the script logic was wrong (if [[ -x "$(command -v XXX) ]]; then XXX missing 
; fi => this is the reverse)
- debian update-secureboot-policy does not accept/use the --new-key and 
--enroll-key options (contrary to ubuntu?)

  So, here is the patch I applied to dkms on my system in order to get module 
signing back.

Note that:
- the part of the patch to generate and enroll the key should be carefully 
checked
  (I already have keys so I do not test this part of the patch)
  Perhaps, "mokutil --import KEY" should be run after checking that the key is 
not already enrolled
- on upgrade, if a user previously make module signing with its own 
sign_tool/sign_helper.sh,
  the key is not necessarly at the default expected place (/var/lib/dkms)
- perhaps, it would be better in Debian to put the key by default in
  /etc/dkms/keys/ instead of /var/lib/dkms/ (the current default set in the 
dkms script)

  Regards
    Vincent


-- System Information:
Debian Release: bookworm/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), 
(500, 'oldstable'), (1, 'experimental')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel, mipsel

Kernel: Linux 5.18.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dkms depends on:
ii  build-essential        12.9
ii  clang-11 [c-compiler]  1:11.1.0-6+b2
ii  clang-13 [c-compiler]  1:13.0.1-7
ii  clang-14 [c-compiler]  1:14.0.6-2
ii  clang-9 [c-compiler]   1:9.0.1-20+b1
ii  dctrl-tools            2.24-3+b1
ii  dh-dkms                3.0.6-2
ii  dpkg-dev               1.21.9
ii  gcc [c-compiler]       4:12.2.0-1
ii  gcc-10 [c-compiler]    10.4.0-5
ii  gcc-11 [c-compiler]    11.3.0-6
ii  gcc-12 [c-compiler]    12.2.0-2
ii  gcc-9 [c-compiler]     9.5.0-2
ii  kmod                   30+20220630-3
ii  lsb-release            11.2
ii  make                   4.3-4.1
ii  patch                  2.7.6-7

Versions of packages dkms recommends:
ii  fakeroot                                     1.29-1
ii  linux-headers-amd64 [linux-headers-generic]  5.19.6-1
ii  sudo                                         1.9.11p3-1

Versions of packages dkms suggests:
ii  e2fsprogs  1.46.5-2
ii  menu       2.1.49

-- no debconf information
--- usr/sbin/dkms       2022-09-07 12:27:13.000000000 +0200
+++ /usr/sbin/dkms      2022-09-12 21:43:27.006384862 +0200
@@ -897,14 +897,14 @@
     echo "Public certificate (MOK): $mok_certificate"
 
     case "$running_distribution" in
-        debian* | ubuntu* )
+        ubuntu* )
 
-            if [[ -x "$(command -v kmodsign)" ]]; then
-                echo "Binary kmod-sign not found, modules won't be signed"
+            if [[ ! -x "$(command -v kmodsign)" ]]; then
+                echo "Binary kmodsign not found, modules won't be signed"
                 return
             fi
 
-            if [[ -x "$(command -v update-secureboot-policy)" ]]; then
+            if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then
                 echo "Binary update-secureboot-policy not found, modules won't 
be signed"
                 return
             fi
@@ -917,6 +917,33 @@
             fi
 
             ;;
+        debian* )
+
+            if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then
+                echo "Binary sign-file not found, module won't be signed"
+                return
+            fi
+
+            if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then
+                echo "Binary update-secureboot-policy not found, modules won't 
be signed"
+                return
+            fi
+
+            do_signing=1
+
+            if [[ "$sb_state" == "SecureBoot is enabled" ]]; then
+                if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"* 
) || ! -f $mok_certificate ]]; then
+                    echo "Certificate or key are missing, generating self 
signed certificate for MOK..."
+                    openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS 
module signing key" \
+                        -newkey rsa:2048 -keyout $mok_signing_key \
+                        -outform DER -out $mok_certificate > /dev/null 2>&1
+                   openssl x509 -in $mok_certificate -out 
/var/lib/dkms/mok.der -outform DER
+                   mokutil --import /var/lib/dkms/mok.der
+                   rm /var/lib/dkms/mok.der
+                fi
+            fi
+
+            ;;
         *)
 
             if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then
@@ -924,7 +951,7 @@
                 return
             fi
 
-            if ( [ ! -f $mok_signing_key ] && [[ ! "$mok_signing_key" == *":"* 
]] ) || [ ! -f $mok_certificate ]; then
+            if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"* ) 
|| ! -f $mok_certificate ]]; then
                 echo "Certificate or key are missing, generating self signed 
certificate for MOK..."
                 openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS 
module signing key" \
                     -newkey rsa:2048 -keyout $mok_signing_key \
@@ -1051,11 +1078,11 @@
         if [ -n "${do_signing}" ]; then
             echo "Signing module $built_module"
             case "$running_distribution" in
-                debian* | ubuntu* )
+                ubuntu* )
                     kmodsign sha512 $mok_signing_key $mok_certificate 
"$built_module"
                     ;;
                 *)
-                    eval '"$sign_file" sha512 "$mok_signing_key" 
"$mok_certificate" "$built_module"'
+                    "$sign_file" sha512 "$mok_signing_key" "$mok_certificate" 
"$built_module"
                     ;;
             esac
         fi

Reply via email to