On 24/09/2023 15.01, Bastian Blank wrote:
## Kernel modules will be signed with an ephemeral key
The modules will not longer be signed using the Secure Boot CA like the
EFI kernel image itself. Instead a key will be created during the build
and thrown away after.
Do I correctly assume that change only affects the modules shipped by
the linux-image packages and not third-party modules built with dkms?
## Header and tool packages will not longer contain version
This means that only headers of one single version can be available on
the system at one time. This might be a bit inconvinient for dkms, as
it can't longer build modules for multiple versions.
That sounds problematic in case of third party modules. If it is
possible to have multiple linux-image-* packages installed, but only
headers for one of them, the third-party modules will only be available
for one of the kernel versions for sure (maybe there are still old
module builds available, but no guarantee especially after the
third-party module got updated). This will make switching between
different kernel versions difficult to impossible, e.g. it may be hard
to go back to a working older kernel version in case the new one does
not work properly (or the third-party module cannot be built or does not
work for the new version).
Regarding getting the correct linux-header-* packages installed for the
installed linux-image-* packages:
Maybe linux-image-* could have
Recommends: linux-headers-* | no-linux-headers
s.t. the correct linux-headers-* are installed by default (installation
of recommends is enabled by default) for all installed linux-image-*
packages. no-linux-headers would be an opt-out package that can be
installed manually if someone does not want to get linux-headers-*
installed at all. It should never be installed automatically.
For dkms it is hard recommend the correct linux-header-* package, right
now we have
Recommends: linux-headers-generic | linux-headers-686-pae |
linux-headers-amd64 | linux-headers
which does not really work for the non-default kernel flavor, e.g. the
-cloud or -i386 kernel. So some improvement on the kernel side would be
nice here.
Andreas
