Bug#1110126: marked as done (unblock: shim-signed/1.47)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#1110126: marked as done (unblock: shim-signed/1.47)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 31 Jul 2025 06:21:01 +0000
Message-id: <[🔎] handler.1110126.D1110126.17539427273822658.ackdone@bugs.debian.org>
Reply-to: 1110126@bugs.debian.org
References: <E1uhMcl-0047Xx-1k@respighi.debian.org> <[🔎] 175387131498.3982220.9016512442519814871.reportbug@tack.local>

Your message dated Thu, 31 Jul 2025 06:18:43 +0000
with message-id <E1uhMcl-0047Xx-1k@respighi.debian.org>
and subject line unblock shim-signed
has caused the Debian Bug report #1110126,
regarding unblock: shim-signed/1.47
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1110126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110126
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: shim-signed/1.47
From: Steve McIntyre <steve@einval.com>
Date: Wed, 30 Jul 2025 11:28:34 +0100
Message-id: <[🔎] 175387131498.3982220.9016512442519814871.reportbug@tack.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: shim-signed@packages.debian.org
Control: affects -1 + src:shim-signed

Hi folks,

Please unblock package shim-signed

Apologies for leaving this so late - I started hacking on this during
DebCamp, then... :-(

I've added a targeted fix for the serious bug #1108278 (Asks to
disable EFI Secure Boot with enrolled DKMS key). We really shouldn't
be telling users to disable Secure Boot when they've followed the
instructions and generated a key for DKMS to use. So I've added logic
to test for that in the update-secureboot-policy that we run from the
shim-signed.postinst.

I've tested this reaonable extensively on some machines here, and both
of the contributors in #1108278 have also tested the fix
successfully. I've tried to be as careful as possible in the change
here, to reduce the chances of DKMS users being locked out via SB if
anything is missing.

I've had a number of other people ask about this outside of the bug
report, via IRC and IRL. As we have a lot of people using DKMS for
Nvidia drivers in particular, this change should hopefully reduce a
lot of upgrade pain for our users.

(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)

Debdiff attached.

unblock shim-signed/1.47

diff -Nru shim-signed-1.46/debian/changelog shim-signed-1.47/debian/changelog
--- shim-signed-1.46/debian/changelog	2025-06-23 11:55:56.000000000 +0100
+++ shim-signed-1.47/debian/changelog	2025-07-29 18:40:12.000000000 +0100
@@ -1,3 +1,16 @@
+shim-signed (1.47) unstable; urgency=medium
+
+  * update-secureboot-policy: do better checking around DKMS
+    If we have DKMS modules installed:
+    + Check to see if a DKMS MOK key has been created and enrolled;
+    + Check that all the DKMS modules are signed with that key;
+    If successful, don't tell users to disable Secure Boot.
+    Closes: #1108278.
+    Add dependencies on openssl and kmod for shim-signed-common,
+    needed for implementing these check.
+
+ -- Steve McIntyre <93sam@debian.org>  Tue, 29 Jul 2025 18:40:14 +0100
+
 shim-signed (1.46) unstable; urgency=medium
 
   * No-change rebuild to upload source-only. Argh. :-/
diff -Nru shim-signed-1.46/debian/control shim-signed-1.47/debian/control
--- shim-signed-1.46/debian/control	2025-06-22 22:53:36.000000000 +0100
+++ shim-signed-1.47/debian/control	2025-07-29 18:21:12.000000000 +0100
@@ -40,7 +40,7 @@
 Package: shim-signed-common
 Multi-Arch: foreign
 Architecture: all
-Depends: ${misc:Depends}, mokutil
+Depends: ${misc:Depends}, mokutil, openssl, kmod
 Replaces: shim-signed (<< 1.32+15+1533136590.3beb971-5)
 Breaks: shim-signed (<< 1.32+15+1533136590.3beb971-5)
 Description: Secure Boot chain-loading bootloader (common helper scripts)
diff -Nru shim-signed-1.46/update-secureboot-policy shim-signed-1.47/update-secureboot-policy
--- shim-signed-1.46/update-secureboot-policy	2019-05-25 02:26:08.000000000 +0100
+++ shim-signed-1.47/update-secureboot-policy	2025-07-29 18:40:14.000000000 +0100
@@ -26,6 +26,7 @@
     secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
     moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
     moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
+    dkms_mok_pubkey=/var/lib/dkms/mok.pub
     action=disable
 
     if [ $enable_sb -eq 1 ]; then
@@ -51,8 +52,55 @@
         moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
                        awk '{ print $NF; }')
     fi
+
     # poor man's xor
     if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
+
+        echo "$0: Checking status of DKMS module signing:" >&2
+
+        # We have DKMS and secure boot is enabled. Check to see if we
+        # have a DKMS key and if it's enrolled in MOK. If it is, we
+        # should be fine.
+        if [ -f $dkms_mok_pubkey ]; then
+            echo "  [ OK ] System DKMS key found in $dkms_mok_pubkey" >&2
+            registered_ok=0
+
+            # Gran the serial number of the DKMS key
+            dkms_key=$(openssl x509 -in $dkms_mok_pubkey -text | \
+                awk '/Serial Number/ {getline;print tolower($1)}')
+
+            # And compare it to all the keys that MOK knows about -
+            # any match is good enough.
+            for mok_key in $(mokutil --list-enrolled | \
+                    awk '/Serial Number/ {getline;print tolower($1)}'); do
+                if [ "$dkms_key"x = "$mok_key"x ]; then
+                    echo "  [ OK ] System DKMS key is registered via MOK" >&2
+                    registered_ok=1
+                fi
+            done
+            if [ $registered_ok != 1 ]; then
+                echo "  E: System's DKMS key is NOT installed in MOK." >&2
+            else
+                signed_ok=1
+                # Now check all the DKMS modules we can find are
+                # signed with this key.
+                for mod in $(find /var/lib/dkms/ -name '*.ko'); do
+                    mod_key=$(modinfo $mod | awk '/sig_key:/ {print tolower($2)}')
+                    if [ "$mod_key"x != "$dkms_key"x ]; then
+                        echo "  E: $mod is not signed with the DKMS key" >&2
+                        signed_ok=0
+                    fi
+                done
+                if [ $signed_ok = 1 ]; then
+                    echo "  [ OK ] All DKMS modules signed with the DKMS key" >&2
+                    echo "All OK, nothing to do." >&2
+                    return 0
+                else
+                    echo "  Some modules not signed with the DKMS key. Rebuild?." >&2
+                fi
+            fi
+        fi
+
         STATE=1
         db_settitle shim/title/secureboot
         while true; do

--- End Message ---

--- Begin Message ---

To: 1110126-done@bugs.debian.org

Subject: unblock shim-signed

From: Paul Gevers <elbrus@debian.org>

Date: Thu, 31 Jul 2025 06:18:43 +0000

Message-id: <E1uhMcl-0047Xx-1k@respighi.debian.org>
Unblocked shim-signed. 
--- End Message ---

Reply to:

References:
- Bug#1110126: unblock: shim-signed/1.47
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Bug#1110061: marked as done (unblock: bind9/1:9.20.11-4)
Next by Date: Bug#1110112: marked as done (unblock procps/2:4.0.4-9)
Previous by thread: Processed: unblock: shim-signed/1.47
Next by thread: Bug#1110128: unblock: lomiri-calendar-app/1.1.4-2
Index(es):
- Date
- Thread