Bug#1116701: shim-signed-common: update-secureboot-policy ignores custom MOK locations specified in DKMS settings

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1116701: shim-signed-common: update-secureboot-policy ignores custom MOK locations specified in DKMS settings
From: Jan Stolarek <jan.stolarek@mailbox.org>
Date: Tue, 30 Sep 2025 13:55:10 +0200
Message-id: <[🔎] 175923331069.12168.17707677726132706702.reportbug@skynet>
Reply-to: Jan Stolarek <jan.stolarek@mailbox.org>, 1116701@bugs.debian.org

Package: shim-signed-common
Version: 1.47+15.8-1
Severity: normal
X-Debbugs-Cc: jan.stolarek@mailbox.org

Dear Maintainer,

After upgrading to Debian Trixie I noticed changes in how module signing using
DKMS is being handled.  In particular, DKMS now presumes existence of MOK keys
in /var/lib/dkms/ directory for the purposes of signing the modules.  Since I
already have a set of enrolled MOK keys, I changed the configuration in
/etc/dkms/framework.conf to point to my already existing keys:

    mok_signing_key=/root/.mok/MOK-sha256.priv
    mok_certificate=/root/.mok/MOK-sha256.der

DKMS picks these files correctly when installing nvidia modules, i.e. they get
signed during installation, as expected.  However, the update-secureboot-policy
binary ignores settings from /etc/dkms/framework.conf file and relies on
hardcoded values.  Running update-secureboot-policy on a SecureBoot-enabled
machine produces the following error:

    /usr/sbin/update-secureboot-policy: Checking status of DKMS module signing:
      [ OK ] System DKMS key found in /var/lib/dkms/mok.pub
      E: System's DKMS key is NOT installed in MOK.

The statement is true, in that these keys are indeed not enrolled.  However,
update-secureboot-policy should not even be looking at this location, since the
MOK is specified to be elsewhere.

Expected solution is to make update-secureboot-policy aware of DKMS settings in
/etc/dkms/framework.conf


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed-common depends on:
ii  debconf [debconf-2.0]  1.5.91
ii  kmod                   34.2-2
ii  mokutil                0.7.2-1
ii  openssl                3.5.1-1

shim-signed-common recommends no packages.

shim-signed-common suggests no packages.

-- debconf information:
  shim/title/secureboot:
* shim/disable_secureboot: false
  shim/enable_secureboot: false
  shim/error/secureboot_key_mismatch:
  shim/error/bad_secureboot_key:
* shim/secureboot_explanation:

Reply to:

Prev by Date: Bug#1114096: marked as done (efitools: FTBFS: typedefs.h:55:23: error: 'bool' cannot be defined via 'typedef')
Previous by thread: efitools_1.9.2-3.6_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread