Package: dkms Version: 3.0.6-2 Followup-For: Bug #1019425 Control: tags -1 patch
The dkms script has several flaw that forbid module signing: - Debian, contrary to ubuntu, does not have kmodsign sign-file from the kernel should be directly used - the script logic was wrong (if [[ -x "$(command -v XXX) ]]; then XXX missing ; fi => this is the reverse) - debian update-secureboot-policy does not accept/use the --new-key and --enroll-key options (contrary to ubuntu?) So, here is the patch I applied to dkms on my system in order to get module signing back. Note that: - the part of the patch to generate and enroll the key should be carefully checked (I already have keys so I do not test this part of the patch) Perhaps, "mokutil --import KEY" should be run after checking that the key is not already enrolled - on upgrade, if a user previously make module signing with its own sign_tool/sign_helper.sh, the key is not necessarly at the default expected place (/var/lib/dkms) - perhaps, it would be better in Debian to put the key by default in /etc/dkms/keys/ instead of /var/lib/dkms/ (the current default set in the dkms script) Regards Vincent -- System Information: Debian Release: bookworm/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386, armel, mipsel Kernel: Linux 5.18.0-4-amd64 (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages dkms depends on: ii build-essential 12.9 ii clang-11 [c-compiler] 1:11.1.0-6+b2 ii clang-13 [c-compiler] 1:13.0.1-7 ii clang-14 [c-compiler] 1:14.0.6-2 ii clang-9 [c-compiler] 1:9.0.1-20+b1 ii dctrl-tools 2.24-3+b1 ii dh-dkms 3.0.6-2 ii dpkg-dev 1.21.9 ii gcc [c-compiler] 4:12.2.0-1 ii gcc-10 [c-compiler] 10.4.0-5 ii gcc-11 [c-compiler] 11.3.0-6 ii gcc-12 [c-compiler] 12.2.0-2 ii gcc-9 [c-compiler] 9.5.0-2 ii kmod 30+20220630-3 ii lsb-release 11.2 ii make 4.3-4.1 ii patch 2.7.6-7 Versions of packages dkms recommends: ii fakeroot 1.29-1 ii linux-headers-amd64 [linux-headers-generic] 5.19.6-1 ii sudo 1.9.11p3-1 Versions of packages dkms suggests: ii e2fsprogs 1.46.5-2 ii menu 2.1.49 -- no debconf information
--- usr/sbin/dkms 2022-09-07 12:27:13.000000000 +0200 +++ /usr/sbin/dkms 2022-09-12 21:43:27.006384862 +0200 @@ -897,14 +897,14 @@ echo "Public certificate (MOK): $mok_certificate" case "$running_distribution" in - debian* | ubuntu* ) + ubuntu* ) - if [[ -x "$(command -v kmodsign)" ]]; then - echo "Binary kmod-sign not found, modules won't be signed" + if [[ ! -x "$(command -v kmodsign)" ]]; then + echo "Binary kmodsign not found, modules won't be signed" return fi - if [[ -x "$(command -v update-secureboot-policy)" ]]; then + if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then echo "Binary update-secureboot-policy not found, modules won't be signed" return fi @@ -917,6 +917,33 @@ fi ;; + debian* ) + + if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then + echo "Binary sign-file not found, module won't be signed" + return + fi + + if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then + echo "Binary update-secureboot-policy not found, modules won't be signed" + return + fi + + do_signing=1 + + if [[ "$sb_state" == "SecureBoot is enabled" ]]; then + if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"* ) || ! -f $mok_certificate ]]; then + echo "Certificate or key are missing, generating self signed certificate for MOK..." + openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS module signing key" \ + -newkey rsa:2048 -keyout $mok_signing_key \ + -outform DER -out $mok_certificate > /dev/null 2>&1 + openssl x509 -in $mok_certificate -out /var/lib/dkms/mok.der -outform DER + mokutil --import /var/lib/dkms/mok.der + rm /var/lib/dkms/mok.der + fi + fi + + ;; *) if [[ ! -f "${sign_file}" || ! -x "${sign_file}" ]]; then @@ -924,7 +951,7 @@ return fi - if ( [ ! -f $mok_signing_key ] && [[ ! "$mok_signing_key" == *":"* ]] ) || [ ! -f $mok_certificate ]; then + if [[ ( ! -f $mok_signing_key && ! "$mok_signing_key" == *":"* ) || ! -f $mok_certificate ]]; then echo "Certificate or key are missing, generating self signed certificate for MOK..." openssl req -new -x509 -nodes -days 36500 -subj "/CN=DKMS module signing key" \ -newkey rsa:2048 -keyout $mok_signing_key \ @@ -1051,11 +1078,11 @@ if [ -n "${do_signing}" ]; then echo "Signing module $built_module" case "$running_distribution" in - debian* | ubuntu* ) + ubuntu* ) kmodsign sha512 $mok_signing_key $mok_certificate "$built_module" ;; *) - eval '"$sign_file" sha512 "$mok_signing_key" "$mok_certificate" "$built_module"' + "$sign_file" sha512 "$mok_signing_key" "$mok_certificate" "$built_module" ;; esac fi