Il 27/10/22 17:38, Siddh Raman Pant ha scritto:
We can use the sign_helper.sh which was used in sign_tool config prior to v3 in
the sign_file config option in /etc/dkms/framework.conf.
Courtesy: https://github.com/dell/dkms/issues/273.
I use it with keyring in the following way:
https://gist.github.com/siddhpant/19c07b07d912811f5a4b2893ca706c99
Thanks,
Siddh
Hi Siddh
since dkms is supposed to run as root, it's not clear to me which keyring is
the signing key passphrase going to be stored to. I definitely wouldn't
recommend running Gnome/KDE keyrings as root, and user keyrings seem to be
unreachable via D-bus in a console where root has been gained with su -.
BTW, by adding a configuration snippet in /etc/dkms/framework.conf.d/ containing
export KBUILD_SIGN_PIN='my_mok_key_pin'
(permissions 600 recommended) seems to work (given the kernel you are running
is configured to use the SHA512 hash algorithm; official Debian kernels use
SHA256 [1]).
We also have to face the problem that only official Debian kernels store the
sign-file executable in
/usr/lib/linux-kbuild-${kernelver%.*}/scripts/
where dkms looks in Debian: Xanmod and Liquorix for example store this file in
/usr/src/linux-headers-${kernelver}/scripts/
but this path can't be easily changed in current dkms version (v3.0.6-4)
because the $kernelver variable isn't available when sourcing the configuration
files; dkms in current master tree fixed this issue by adding a fallback to
/lib/modules/${kernelver}/build/scripts/
in distro detection code, which makes signing work with any kernel I could test
till now.
[1] https://github.com/dell/dkms/issues/266