Comments (6)
scaronni
commented on August 10, 2024
If we automate it, and the user does not know what's happening, it will be prompted with the MOK enrollment screen.
If the user cancels the operation, then the automation will try to rerun it again and again. I'm strongly against this.
What we can do, is to add a hint/message to the output if the MOK key has not been enrolled yet. I'll make a prototype as soon as the other merge request are closed.
from dkms.
scaronni
commented on August 10, 2024
Something like this (fake output):
# dkms build -m nvidia/555.58.02 -k 6.9.7-200.fc40.x86_64
Sign command: /lib/modules/6.9.7-200.fc40.x86_64/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
The public certificate is not imported yet, please run the following command to allow using the built modules with SecureBoot:
mokutil --import /var/lib/dkms/mok.pub
Cleaning build area... done.
Building module(s)....................... done.
Signing module /var/lib/dkms/nvidia/555.58.02/build/kernel-open/nvidia.ko
Signing module /var/lib/dkms/nvidia/555.58.02/build/kernel-open/nvidia-modeset.ko
Signing module /var/lib/dkms/nvidia/555.58.02/build/kernel-open/nvidia-drm.ko
Signing module /var/lib/dkms/nvidia/555.58.02/build/kernel-open/nvidia-uvm.ko
Signing module /var/lib/dkms/nvidia/555.58.02/build/kernel-open/nvidia-peermem.ko
Cleaning build area... done.
from dkms.
adrelanos
commented on August 10, 2024
Anything would be an improvement over the current state.
However, it seems that DKMS already automates this action on 1 Linux distribution, namely Ubuntu. Here is the related source code copied here for convenience:
if [[ -z "${mok_signing_key}" ]]; then
# No custom key specified, use the default key created by update-secureboot-policy for Ubuntu
# Debian's update-secureboot-policy has no --new-key option
case "$running_distribution" in
ubuntu* )
mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
mok_certificate="/var/lib/shim-signed/mok/MOK.der"
if [[ ! -f ${mok_signing_key} || ! -f ${mok_certificate} ]]; then
if [[ ! -x "$(command -v update-secureboot-policy)" ]]; then
echo "Binary update-secureboot-policy not found, modules won't be signed"
return
fi
# update-secureboot-policy won't create new key if $mok_certificate exists
if [[ -f ${mok_certificate} ]]; then
rm -f "${mok_certificate}"
fi
echo "Certificate or key are missing, generating them using update-secureboot-policy..."
SHIM_NOTRIGGER=y update-secureboot-policy --new-key &>/dev/null
update-secureboot-policy --enroll-key
fi
;;
esac
fi
As per the source code comment "Debian's update-secureboot-policy has no --new-key option" found in the source code I pasted above, it seems like DKMS developers decided they do not wish to run sudo mokutil --import but instead would like to proxy it through update-secureboot-policy. (For me, no having Ubuntu installed.) It's hard to find the source code for update-secureboot-policy and it apparently also does not have a man page. So I don't know yet what it does.
It may provide some sort of "moderation" (avoidance of adding keys the user does not wish to add, avoidance of adding keys over and over again) or other usability features.
Debian as DKMS source code says lacks the --new-key option. I plan to inform Debian in form of a bug report / feature request. Other distributions might totally lack the update-secureboot-policy tool.
from dkms.
adrelanos
commented on August 10, 2024
Ubuntu's update-secureboot-policy source code is here:
https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim-signed/tree/update-secureboot-policy
Debian's update-secureboot-policy source code is here:
https://salsa.debian.org/efi-team/shim-signed/-/blob/master/update-secureboot-policy?ref_type=heads
from dkms.
adrelanos
commented on August 10, 2024
Debian feature requests:
- dkms: enroll DKMS signing key / automate running “sudo mokutil --import /var/lib/dkms/mok.pub”
- shim-signed: please update update-secureboot-policy / add ‘–new-key’ option
from dkms.
evelikov
commented on August 10, 2024
Fwiw personally I'm not excited about having more distro specific paths. The fact that update-secureboot-policy has diverged across distros (is undocumented, projects lacks CI, contribution guildlines etc) makes things even less compelling.
If the latter is resolved, I would be more supportive of the idea.
from dkms.
Related Issues (20)
- Kernel match for BUILT_MODULE_NAME HOT 9
- Introduce a `build $module for all kernels` functionality HOT 1
- Reintroduce support for `dkms add/build/install m/v --all` HOT 1
- A typo in the readme file
- Ubuntu 22.04 VM broke HOT 6
- marking built/installed modules as rebuild-needed
- parameter validation
- 3.0.13 release isn't tagged as latest on GitHub HOT 1
- OBSOLETE_BY does not prevent building HOT 1
- Retrospective from the recent XZ vuln HOT 1
- DOS-style line endings in dkms.conf break dkms in unpredictable ways HOT 1
- Stop handling dkms.conf as a bash/shell script HOT 8
- Failing to compile nvidia-open-dkms while using a ThinLTO/Clang kernel HOT 3
- Leftover files after zfs build HOT 2
- Keep the Module.symvers file along with the *.ko HOT 2
- In the loop, why is it a read-only variable? HOT 4
- nvidia-open-dkms: Strip assertion failed (ThinLTO compiled kernel) - Module succesfully compiled but can not boot HOT 2
- Ship `kernel-install` snippet to `/usr/` instead of `/etc/` HOT 2
- Supporting non-DKMS modules using a vendors external tools
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dkms.