Bug#1055433: marked as done (key enrollment on non-EFI systems for `module.sig_enforce=1` kernel parameter)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 01 May 2025 17:52:10 +0200 (CEST)
with message-id <20250501155210.4C261BE2DE0@eldamar.lan>
and subject line Closing this bug (BTS maintenance for src:linux bugs)
has caused the Debian Bug report #1055433,
regarding key enrollment on non-EFI systems for `module.sig_enforce=1` kernel parameter
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1055433: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055433
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: key enrollment on non-EFI systems for `module.sig_enforce=1` kernel parameter
• From: Patrick Schleizer <adrelanos@whonix.org>
• Date: Mon, 6 Nov 2023 00:09:00 +0000
• Message-id: <3ca6afa8-83f1-435d-9f7d-94ccd90d60bf@whonix.org>
• Reply-to: adrelanos@whonix.org

Package: src:linux
Severity: normal

Kernel module signature verification can be enabled using the `module.sig_enforce=1` kernel parameter on non-EFI systems.

On non-EFI systems, `mokutil` won't work. But then how could one enroll the key without needing to recompile grub or the kernel?

Can `/var/lib/dkms/mok.pub` be enrolled using `keyctl`? Probably not. As per kernel manual. [1]

> Note, however, that the kernel will only permit keys to be added to .builtin_trusted_keys if the new key's X.509 wrapper is validly signed by a key that is already resident in the .builtin_trusted_keys at the time the key was added.

Upstream DKMS thinks DKMS is the wrong place to do this.

Cheers,
Patrick

[1] https://www.kernel.org/doc/html/v6.6/admin-guide/module-signing.html

[2] https://github.com/dell/dkms/issues/359

--- End Message ---

--- Begin Message ---

• To: 1055433-done@bugs.debian.org
• Cc: 1055433-submitter@bugs.debian.org
• Subject: Closing this bug (BTS maintenance for src:linux bugs)
• From: carnil@debian.org
• Date: Thu, 01 May 2025 17:52:10 +0200 (CEST)
• Message-id: <20250501155210.4C261BE2DE0@eldamar.lan>

Hi

This bug was filed for a (very) old kernel or the bug is old itself
without resolution. Maybe it was for a feature enablement which nobody
acted on. We are sorry we were not able to timely deal with this issue.
There are many open bugs for the src:linux package and thus we are
closing older bugs where it's unclear if they still occur in newer
versions and are still relevant to the reporter. For an overview see:
https://bugs.debian.org/src:linux .

If you can reproduce your issue with

- the current version in unstable/testing
- the latest kernel from backports

or, if it was a feature addition/wishlist and still consider it
relevant, then:

Please reopen the bug, see https://www.debian.org/Bugs/server-control
for details.

Please try to provide as much fresh details including kernel logs where
relevant. In particular were an issue is coupled with specific hardware we
might ask you to do additional debugging on your side as the owner of the
hardware.

Regards,
Salvatore

--- End Message ---