FS#75212 - [dkms] module signing is broken

Attached to Project: Arch Linux
Opened by Maximiliano Curia (maxy) - Saturday, 02 July 2022, 10:22 GMT
Last edited by Sébastien Luttringer (seblu) - Friday, 15 July 2022, 21:24 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 38
Private No

Details

Description: failing to use sign-file due to 3323033dfdc5f58afc303736f6b580bf62442ef7

version: 3.0.5-1

Not affected with 3.0.3

Upstream report: https://github.com/dell/dkms/issues/229

Steps to reproduce:
- Install any dkms module
- While building the module, dkms will try to sign it, but since the sign_file variable is not set it tries to execute a non existing command.
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Friday, 15 July 2022, 21:24 GMT
Reason for closing:  Fixed
Additional comments about closing:  dkms-3.0.5-2
Comment by Leonidas Spyropoulos (inglor) - Saturday, 02 July 2022, 12:48 GMT
There's a PR open for this upstream:

https://github.com/dell/dkms/pull/230
Comment by Mark Wagie (yochananmarqos) - Saturday, 02 July 2022, 22:15 GMT
That PR does not work with 3.0.5-1:


==> Starting prepare()...
-> Applying patch 230.patch
patching file dkms.in
patching file dkms.in
Reversed (or previously applied) patch detected! Skipping patch.
2 out of 2 hunks ignored -- saving rejects to file dkms.in.rej


However, this should:

sed -i 's/sha512/sha512sum/g' "$pkgname.in"
Comment by Jonathon (jonathon) - Sunday, 03 July 2022, 00:29 GMT
Changing `sha512` to `sha512sum` is incorrect, `sha512` is an option being passed to the `kmodsign` (line 1030) or `$sign_file` (line 1033) command.
Comment by David Bohman (debo) - Sunday, 03 July 2022, 21:24 GMT
See patch below.

Comment by Sébastien Luttringer (seblu) - Sunday, 03 July 2022, 21:53 GMT
I do not use signed modules, so I'm not affected by this.
Is this an issue only for users who enforce module signature with module.sig_enforce=1?
Is setting module.sig_enforce=0 a workaround?
Comment by Troy Engel (TE) - Monday, 04 July 2022, 12:53 GMT
The commit that broke this: https://github.com/dell/dkms/commit/3323033dfdc5f58afc303736f6b580bf62442ef7

The problem is the authors converted from `kmodsign` (which I, as a non-UEFI user do not have installed) so the previous code properly stopped trying to sign a module if that was missing.

```
sign_build()
{
[[ -x "$(command -v kmodsign)" && -d "/var/lib/shim-signed/mok/" ]] || return
```

The newly updated code just sets up `do_signing` regardless of any missing tools, so it's more broken than just one missing variable -- on my system it simply should not be trying to sign any modules at all as it's a BIOS boot, not UEFI (meaning the new broken code for missing `sign_file` should not even be reached, the new code breaks the logic).

https://github.com/dell/dkms/issues/162
Comment by David Bohman (debo) - Monday, 04 July 2022, 23:12 GMT
Arch needs to set the following in the dkms config:

sign_file='/usr/lib/modules/${kernelver}/build/scripts/sign-file'

The single quotes are necessary because $kernelver is not yet set when the configuration files are sourced.
Comment by David Bohman (debo) - Tuesday, 05 July 2022, 00:36 GMT
The attached diffs seem to fix it.
   dkms.patch (1.5 KiB)
Comment by Dmitry Skvortsov (Iglu47) - Tuesday, 05 July 2022, 09:35 GMT
I confirm. Defining sign_file helps with this problem.
https://github.com/dell/dkms/blob/187980ac51650b02225f9a13a7ed99b8e01d062c/dkms_framework.conf#L28
sign_file='/usr/lib/modules/${kernelver}/build/scripts/sign-file'

Rebuild with the patch above helps too.
Comment by David C. Rankin (drankinatty) - Saturday, 09 July 2022, 05:15 GMT
Not sure where the fix/patch for this stands, but as of 7/9/22 with the new dkms 3.0.5-1, I still get:

(13/27) Install DKMS modules
==> dkms install --no-depmod vboxhost/6.1.35_non_OSE -k 5.18.9-arch1-1
/usr/bin/dkms: line 1033: sha512: command not found
/usr/bin/dkms: line 1033: sha512: command not found
/usr/bin/dkms: line 1033: sha512: command not found
Comment by Troy Engel (TE) - Saturday, 09 July 2022, 13:03 GMT
@drankinatty `3.0.5-1` is the broken one (and latest package available), you can either attempt to patch it yourself using test patches in this issue, or you could downgrade to the previous package 3.0.3 for the time being. If choosing the latter, this nifty tool can help: https://aur.archlinux.org/packages/downgrade
Comment by David Bohman (debo) - Saturday, 09 July 2022, 13:15 GMT
I just sent a message to Sébastien asking about the status.
Comment by Dmitry Skvortsov (Iglu47) - Thursday, 14 July 2022, 10:20 GMT
> https://aur.archlinux.org/packages/downgrade
without third-party programs, downgrade can be done using pacman itself:
sudo pacman -U https://archive.archlinux.org/packages/d/dkms/dkms-3.0.3-1-any.pkg.tar.zst

and just tell pacman to keep old dkms version

to file
/etc/pacman.conf
add line (or add dkms if IgnorePkg list is not empty)
IgnorePkg = dkms

then when you know the problem is solved - tell pacman to stop ignoring dkms updates by removing that line or package name.
Comment by Doug Newgard (Scimmia) - Thursday, 14 July 2022, 12:34 GMT
Or you can just ignore the errors for now, since they don't mean anything. Downgrading for this is massive overkill.
Comment by Sébastien Luttringer (seblu) - Thursday, 14 July 2022, 13:22 GMT
Should be fixed in dkms-3.0.5-2.

I early applied https://github.com/dell/dkms/pull/230.

I have no secure boot system, so please confirm it's a good fix.
Comment by Dmitry Skvortsov (Iglu47) - Thursday, 14 July 2022, 14:10 GMT
> I have no secure boot system, so please confirm it's a good fix.
works for me, with dkms-3.0.5-2 does not have the initially described issue.

Loading...