Hi,
On 12/6/23 07:11, Andreas Beckmann wrote:
it would be cool to have a command to run all installed modules through
the signing process again, for example after changes to the MOK, or
simply because the signing key was unavailable during installation of a
module.
Would it be sufficient if
dpkg-reconfigure linux-headers-6.5.0-5-amd64
would rebuild, resign and reinstall all dkms modules currently installed
for linux-image-6.5.0-5-amd64?
For the most part, "dpkg-reconfigure linux-image-6.5.0-5-amd64" already
works, but it'd be great to have a front-end command in dkms directly,
because that's something easy to tell users.
There are a few problems with the current implementation:
- if the MOK is passphrase protected, and the passphrase is
unavailable, installation succeeds and is never reattempted, even though
the resulting modules cannot be loaded.
- to understand when the passphrase is needed, you need to understand
how the kernel works, so it's not something easily explained to end users.
- the only "safe" approach is to always provide the passphrase for
every apt invocation, which is 面倒くさい.
Having a single entry point for "I am not sure all modules are properly
signed with the current MOK, please fix" would be great, because it can
at least provide a path to repairing an installation that doesn't
require users to find out which kernel they are running.
Longer term, we probably also need a mechanism to know *before* an
action whether the MOK is going to be needed, and a fallback if it is
not available -- a dbus interface to interactively ask on-demand would
solve the problem for desktop users, but is likely difficult to use for
server operation.
In either case if the passphrase is unavailable at this point, the
system might be in a state that the user cannot easily recover from if
they were to reboot now. This is made worse by the nV drivers that
occasionally kill the X server during upgrades, so we're losing the user
session at this point.
None of these can be fixed without larger changes though -- hence a
"limited scope" wishlist bug for a "dkms sign" or similar command that
will go through all installed modules (for all kernels) and make sure
they have a signature with the currently installed MOK. It would also be
nice to have a line in the post-installation summary report and/or a
command that indicates via exit status if rebooting is currently safe.
Simon
