Automating signing of DKMS modules with machine owner key

To: debian-devel@lists.debian.org
Subject: Automating signing of DKMS modules with machine owner key
From: Thomas Goirand <zigo@debian.org>
Date: Tue, 4 Aug 2020 13:52:04 +0200
Message-id: <[🔎] 3a6018a0-cb4d-7943-7051-9ef34dc6a750@debian.org>

Hi,

A few months ago, it took me a long long time to figure out how to do
this and write it in this wiki page:
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key

This works very well, but I wonder if we could automate this by having a
hook in DKMS, so that any DKMS rebuild would also sign the DKMS modules.
Indeed, it's very annoying that I have to resign the modules manually
whenever the kernel increases version (in my case, I need to sign the 3
virtualbox kernel modules...).

Maybe we could have a standard path where to store the machine key, and
DKMS would use it? Maybe having a /etc/default/dkms where to configure this?

Of course, I am aware that this probably is a security problem. Someone
more knowledgeable than me with secure boot could explain why, and how
to mitigate the risks, how to store my machine owner key, etc. But for
me, usability is more important, and secure boot is still nice. Maybe
there's a way to get this safe, like encrypting the MOK and prompt for a
password every time?

Thoughts anyone?

Cheers,

Thomas Goirand (zigo)

Reply to:

Follow-Ups:
- Re: Automating signing of DKMS modules with machine owner key
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Processed: reassign 967029 to general
Next by Date: Re: It's Time to Talk About Free Software Again
Previous by thread: Processed: reassign 967029 to general
Next by thread: Re: Automating signing of DKMS modules with machine owner key
Index(es):
- Date
- Thread