Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1023593: dkms 3.0.6-4 signs modules without secure boot enabled
365 views
Skip to first unread message
Thomas Luzat
Nov 7, 2022, 5:40:04 AM11/7/22
to
Package: dkms
Version: 3.0.6-4
Severity: important
Dear Maintainer,
after upgrading to dkms 3.0.6-4 and installing a new custom-built kernel dkms
generates a signing key:
Setting up linux-image-6.0.7-wopr (6.0.7-wopr-1) ...
dkms: running auto installation service for kernel 6.0.7-wopr:Sign command:
/usr/lib/linux-kbuild-6.0/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...
... and signs modules (NVIDIA's driver in this case). This seems to break the
boot
process on my system (x86_64, UEFI, secure boot disabled, cryptoroot):
* Acquiring an IP using DHCP for unlocking remotely early in the boot process
does not seem to work (no NIC/network info shown).
* When unlocking locally, the system hangs within init-bottom (probably
related
to failure to load module(s) given that I include the NVIDIA drivers in the
initramfs).
Downgrading to 3.0.6-3 and reinstalling the linux-image fixes the issue: NVIDIA
modules are no longer signed, boot works as expected (brings up NIC, unlock
works,
NVIDIA driver loads).
Patching 3.0.6-4's /usr/sbin/dkms to not invoke prepare_signing and
reinstalling
the image also works.
I did not find another way to disable signing the modules (do_signing=1 seems
to
be true for all possible code paths) or boot with the signed NVIDIA modules.
I feel that there should be a way to disable signing the modules; or should
this
work without secure boot, too?
Cheers,
Thomas
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.7-wopr (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dkms depends on:
ii build-essential 12.9
ii clang-13 [c-compiler] 1:13.0.1-9
ii clang-14 [c-compiler] 1:14.0.6-7
ii dctrl-tools 2.24-3+b1
ii dh-dkms 3.0.6-4
ii dpkg-dev 1.21.9
ii gcc [c-compiler] 4:12.2.0-1
ii gcc-10 [c-compiler] 10.4.0-5
ii gcc-11 [c-compiler] 11.3.0-8
ii gcc-12 [c-compiler] 12.2.0-9
ii kmod 30+20220905-1
ii lsb-release 12.0-1
ii make 4.3-4.1
ii patch 2.7.6-7
Versions of packages dkms recommends:
ii fakeroot 1.30.1-1
ii linux-headers-amd64 [linux-headers-generic] 6.0.6-2
ii sudo 1.9.11p3-2
Versions of packages dkms suggests:
ii e2fsprogs 1.46.6~rc1-1+b1
pn menu <none>
-- no debconf information
Version: 3.0.6-4
Severity: important
Dear Maintainer,
after upgrading to dkms 3.0.6-4 and installing a new custom-built kernel dkms
generates a signing key:
Setting up linux-image-6.0.7-wopr (6.0.7-wopr-1) ...
dkms: running auto installation service for kernel 6.0.7-wopr:Sign command:
/usr/lib/linux-kbuild-6.0/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...
... and signs modules (NVIDIA's driver in this case). This seems to break the
boot
process on my system (x86_64, UEFI, secure boot disabled, cryptoroot):
* Acquiring an IP using DHCP for unlocking remotely early in the boot process
does not seem to work (no NIC/network info shown).
* When unlocking locally, the system hangs within init-bottom (probably
related
to failure to load module(s) given that I include the NVIDIA drivers in the
initramfs).
Downgrading to 3.0.6-3 and reinstalling the linux-image fixes the issue: NVIDIA
modules are no longer signed, boot works as expected (brings up NIC, unlock
works,
NVIDIA driver loads).
Patching 3.0.6-4's /usr/sbin/dkms to not invoke prepare_signing and
reinstalling
the image also works.
I did not find another way to disable signing the modules (do_signing=1 seems
to
be true for all possible code paths) or boot with the signed NVIDIA modules.
I feel that there should be a way to disable signing the modules; or should
this
work without secure boot, too?
Cheers,
Thomas
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.0.7-wopr (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dkms depends on:
ii build-essential 12.9
ii clang-13 [c-compiler] 1:13.0.1-9
ii clang-14 [c-compiler] 1:14.0.6-7
ii dctrl-tools 2.24-3+b1
ii dh-dkms 3.0.6-4
ii dpkg-dev 1.21.9
ii gcc [c-compiler] 4:12.2.0-1
ii gcc-10 [c-compiler] 10.4.0-5
ii gcc-11 [c-compiler] 11.3.0-8
ii gcc-12 [c-compiler] 12.2.0-9
ii kmod 30+20220905-1
ii lsb-release 12.0-1
ii make 4.3-4.1
ii patch 2.7.6-7
Versions of packages dkms recommends:
ii fakeroot 1.30.1-1
ii linux-headers-amd64 [linux-headers-generic] 6.0.6-2
ii sudo 1.9.11p3-2
Versions of packages dkms suggests:
ii e2fsprogs 1.46.6~rc1-1+b1
pn menu <none>
-- no debconf information
Holger Schröder
Nov 7, 2022, 6:40:03 AM11/7/22
to
0 new messages