Acknowledgement sent
to Dmitry Eremin-Solenikov <[email protected]>:
New Bug report received and forwarded. Copy sent to Debian EFI Team <[email protected]>.
(Wed, 04 Sep 2019 12:51:04 GMT) (full text, mbox, link).
Package: sbsigntool
Version: 0.9.2-2
Severity: normal
Could you please provide kmodsign tool like Ubuntu package does, so that
we can sign Linux kernel modules with custom keys.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.2.0-2-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sbsigntool depends on:
ii libc6 2.28-10
ii libssl1.1 1.1.1c-1
ii libuuid1 2.34-0.1
sbsigntool recommends no packages.
sbsigntool suggests no packages.
-- no debconf information
Acknowledgement sent
to Steve McIntyre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian EFI Team <[email protected]>.
(Mon, 09 Sep 2019 15:51:02 GMT) (full text, mbox, link).
Subject: Re: Bug#939392: please provide kmodsign like Ubuntu does
Date: Mon, 9 Sep 2019 16:46:38 +0100
On Mon, Sep 09, 2019 at 04:35:44PM +0100, Steve McIntyre wrote:
>On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote:
>>Package: sbsigntool
>>Version: 0.9.2-2
>>Severity: normal
>>
>>Could you please provide kmodsign tool like Ubuntu package does, so that
>>we can sign Linux kernel modules with custom keys.
>
>ACK, that would be a good thing to have.
>
>Steve - would you be happy to push the ubuntu patches up into Debian?
>
>Probably worth us talking to the original kmodsign authors (David
>Howells and David Woodhouse) and the sbsigntool maintainer (James
>Bottomley) about maybe integrating things upstream too. I'll try to
>start a conversation there...
Hmmm, hang on - it's just the "sign-file" program from the kernel
tree, renamed as "kmodsign" for some reason. Steve: the bug at
https://bugs.launchpad.net/bugs/1526959
named in the patches doesn't seem all that relevant - could you
enlighten us please? :-)
--
Steve McIntyre, Cambridge, UK. [email protected]
"We're the technical experts. We were hired so that management could
ignore our recommendations and tell us how to do our jobs." -- Mike Andrews
Acknowledgement sent
to Steve McIntyre <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian EFI Team <[email protected]>.
(Mon, 09 Sep 2019 16:24:03 GMT) (full text, mbox, link).
Subject: Re: Bug#939392: please provide kmodsign like Ubuntu does
Date: Mon, 9 Sep 2019 16:35:44 +0100
On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote:
>Package: sbsigntool
>Version: 0.9.2-2
>Severity: normal
>
>Could you please provide kmodsign tool like Ubuntu package does, so that
>we can sign Linux kernel modules with custom keys.
ACK, that would be a good thing to have.
Steve - would you be happy to push the ubuntu patches up into Debian?
Probably worth us talking to the original kmodsign authors (David
Howells and David Woodhouse) and the sbsigntool maintainer (James
Bottomley) about maybe integrating things upstream too. I'll try to
start a conversation there...
--
Steve McIntyre, Cambridge, UK. [email protected]
"Since phone messaging became popular, the young generation has lost the
ability to read or write anything that is longer than one hundred and sixty
characters." -- Ignatios Souvatzis
Hello all,
What about this issue ? No progress ??
Today update result
Calcul de la mise à jour…
Le paquet suivant a été installé automatiquement et n'est plus nécessaire :
libmozjs-91-0
Veuillez utiliser « apt autoremove » pour le supprimer.
Les NOUVEAUX paquets suivants seront installés :
libmozjs-102-0 linux-headers-5.19.0-2-amd64 linux-headers-5.19.0-2-common
linux-image-5.19.0-2-amd64
Les paquets suivants seront mis à jour :
fonts-wine gdm3 gir1.2-gdm-1.0 gjs libgdm1 libgjs0g libvkd3d-shader1
libvkd3d-shader1:i386 libvkd3d1 libvkd3d1:i386 libwine libwine:i386
linux-compiler-gcc-11-x86 linux-headers-amd64 linux-image-amd64
linux-kbuild-5.19 linux-libc-dev wine wine32:i386 wine64
Paramétrage de linux-kbuild-5.19 (5.19.11-1) ...
Paramétrage de linux-headers-5.19.0-2-common (5.19.11-1) ...
Paramétrage de linux-headers-5.19.0-2-amd64 (5.19.11-1) ...
/etc/kernel/header_postinst.d/dkms:
dkms: running auto installation service for kernel 5.19.0-2-amd64:Sign command: /usr/lib/linux-kbuild-5.19/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Building module:
Cleaning build area...
make -j2 KERNELRELEASE=5.19.0-2-amd64 KVER=5.19.0-2-amd64......
Signing module /var/lib/dkms/broadcom-sta/6.30.223.271/build/wl.ko
/usr/sbin/dkms: ligne 1055: kmodsign : commande introuvable
Cleaning build area...
wl.ko:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/5.19.0-2-amd64/updates/dkms/
depmod...
Subject: Re: please provide kmodsign like Ubuntu does
Date: Sun, 2 Oct 2022 13:51:17 -0700
Same here
Building module:
Cleaning build area...
'make' KVER=5.19.0-2-amd64
src=/usr/src/rtl88x2bu-5.8.7.1...............................................
Signing module /var/lib/dkms/rtl88x2bu/5.8.7.1/build/88x2bu.ko
/usr/sbin/dkms: line 1055: kmodsign: command not found
Cleaning build area...
88x2bu.ko:
Running module version sanity check.
- Original module
- No original module exists within this kernel
- Installation
- Installing to /lib/modules/5.19.0-2-amd64/updates/dkms/
depmod...
I see this
$ dpkg -S sign-file
linux-kbuild-5.19: /usr/lib/linux-kbuild-5.19/scripts/sign-file
but that's not terribly useful since you can't even symlink it to
kmodsign if you change kbuild versions.
Acknowledgement sent
to Chris Putnam <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian EFI Team <[email protected]>.
(Wed, 05 Oct 2022 06:36:02 GMT) (full text, mbox, link).
Is kmodsign necessary? I have been using the `sign-file` tool included in
the linux-headers package. It is located at
/usr/src/linux-headers-xxx/scripts/sign-file. It is also referenced by the
script /etc/dkms/sign_helper.sh, included with the dkms package.
Regardless, something happened recently with dkms where it is no longer
calling the sign tool script and there is no update on the current bug.
Acknowledgement sent
to Colin Watson <[email protected]>:
Extra info received and forwarded to list. Copy sent to Debian EFI Team <[email protected]>.
(Tue, 02 Jul 2024 14:00:02 GMT) (full text, mbox, link).
Subject: Re: Bug#939392: please provide kmodsign like Ubuntu does
Date: Tue, 2 Jul 2024 14:58:23 +0100
On Mon, Sep 09, 2019 at 04:46:38PM +0100, Steve McIntyre wrote:
> On Mon, Sep 09, 2019 at 04:35:44PM +0100, Steve McIntyre wrote:
> >On Wed, Sep 04, 2019 at 03:47:35PM +0300, Dmitry Eremin-Solenikov wrote:
> >>Could you please provide kmodsign tool like Ubuntu package does, so that
> >>we can sign Linux kernel modules with custom keys.
> >
> >ACK, that would be a good thing to have.
> >
> >Steve - would you be happy to push the ubuntu patches up into Debian?
> >
> >Probably worth us talking to the original kmodsign authors (David
> >Howells and David Woodhouse) and the sbsigntool maintainer (James
> >Bottomley) about maybe integrating things upstream too. I'll try to
> >start a conversation there...
>
> Hmmm, hang on - it's just the "sign-file" program from the kernel
> tree, renamed as "kmodsign" for some reason. Steve: the bug at
>
> https://bugs.launchpad.net/bugs/1526959
>
> named in the patches doesn't seem all that relevant - could you
> enlighten us please? :-)
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1579766 is a
more relevant bug report. This was for signing things outside of the
context of a kernel build, and Launchpad does that on a
specially-secured signing service that ensures that keys are encrypted
at rest and such. If memory serves, I asked for this to be added to
sbsigntool because the alternative was that we'd have to chase kernel
versions: sign-file is packaged as
/usr/lib/linux-kbuild-$version/scripts/sign-file in the
linux-kbuild-$version package, but that's really a pretty annoying thing
for a supposedly non-kernel-version-dependent service to have to depend
on!
dak has a similar requirement, and it seems that they've just ended up
with a dependency on "linux-kbuild-5.10 | linux-kbuild-4.19" that
presumably they bump from time to time. Ugh.
Now I'm no longer involved with Launchpad, but I have a pretty similar
third instance of this requirement in debusine, and I'd really rather
not perpetuate the same horribleness there. Is there any chance that
these Ubuntu patches could be merged?
Thanks,
--
Colin Watson (he/him) [[email protected]]
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.