Package: dkms Version: 3.0.6-4 Severity: normal Dear Maintainer,
I'm a big fan of not having to ship https://github.com/nabijaczleweli/babfig/blob/20f1d88f34ba31b3be0410df5e0d726d5ac0b4da/secureboot/usr-local-libexec-dkms-sign-helper and sign_tool="/usr/local/libexec/dkms-sign-helper" in framework.conf. However, this is both undocumented in the NEWS /and/ this setup is broken if you need to supply $KBUILD_SIGN_PIN to sign-file. It doesn't help that none of this is at all documented in dkms(8), either. This is additionally exacerbated by this yielding a cascade of weird Perl backtraces in the apt log and the installation continuing until dracut explodes because it wants modules that doesn't exist. I pity the user who doesn't need those modules for booting, or wasn't glued to the apt upgrade output. I have successfully managed to fix this by injecting this in framework.conf.d: -- >8 -- { [ -r /root/secureboot/creds.sh ] && . /root/secureboot/creds.sh [ -z "$KBUILD_SIGN_PIN" ] && read -rp 'DB certificate password: ' KBUILD_SIGN_PIN export KBUILD_SIGN_PIN } < "/dev/tty" > "/dev/tty" 2>&1 -- >8 -- Of course, this prompts (non-root users, or all users if you don't have creds.sh committed to disk) for all dkms invocations, and defeats the façade of a "config file" by just injecting random code, but I've verified that it does indeed work. So please: * note in the new shipped framework.conf that it will use no passphrase by default * add NEWS that explain this transition * add a work-around to NEWS for users that do need/use/require provisions for $KBUILD_SIGN_PIN Thanks, наб -- System Information: Debian Release: bookworm/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-2-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dkms depends on: ii build-essential 12.9 ii clang-13 [c-compiler] 1:13.0.1-7 ii clang-14 [c-compiler] 1:14.0.6-7 ii dctrl-tools 2.24-3+b1 ii dh-dkms 3.0.6-4 ii dpkg-dev 1.21.9 ii gcc [c-compiler] 4:12.2.0-1 ii gcc-10 [c-compiler] 10.4.0-5 ii gcc-11 [c-compiler] 11.3.0-8 ii gcc-12 [c-compiler] 12.2.0-7 ii kmod 30+20220905-1 ii lsb-release 12.0-1 ii make 4.3-4.1 ii patch 2.7.6-7 Versions of packages dkms recommends: ii fakeroot 1.29-1 hi linux-headers-amd64 [linux-headers-generic] 5.18.5-1 ii sudo 1.9.11p3-2 Versions of packages dkms suggests: ii e2fsprogs 1.46.6~rc1-1+b1 pn menu <none> -- Configuration Files: /etc/dkms/framework.conf changed: mok_signing_key=/root/secureboot/db.key mok_certificate=/root/secureboot/db.der -- no debconf information
signature.asc
Description: PGP signature
