Your message dated Thu, 31 Jul 2025 06:18:43 +0000
with message-id <[email protected]>
and subject line unblock shim-signed
has caused the Debian Bug report #1110126,
regarding unblock: shim-signed/1.47
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1110126: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110126
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Control: affects -1 + src:shim-signed
Hi folks,
Please unblock package shim-signed
Apologies for leaving this so late - I started hacking on this during
DebCamp, then... :-(
I've added a targeted fix for the serious bug #1108278 (Asks to
disable EFI Secure Boot with enrolled DKMS key). We really shouldn't
be telling users to disable Secure Boot when they've followed the
instructions and generated a key for DKMS to use. So I've added logic
to test for that in the update-secureboot-policy that we run from the
shim-signed.postinst.
I've tested this reaonable extensively on some machines here, and both
of the contributors in #1108278 have also tested the fix
successfully. I've tried to be as careful as possible in the change
here, to reduce the chances of DKMS users being locked out via SB if
anything is missing.
I've had a number of other people ask about this outside of the bug
report, via IRC and IRL. As we have a lot of people using DKMS for
Nvidia drivers in particular, this change should hopefully reduce a
lot of upgrade pain for our users.
(Please provide enough (but not too much) information to help
the release team to judge the request efficiently. E.g. by
filling in the sections below.)
Debdiff attached.
unblock shim-signed/1.47
diff -Nru shim-signed-1.46/debian/changelog shim-signed-1.47/debian/changelog
--- shim-signed-1.46/debian/changelog 2025-06-23 11:55:56.000000000 +0100
+++ shim-signed-1.47/debian/changelog 2025-07-29 18:40:12.000000000 +0100
@@ -1,3 +1,16 @@
+shim-signed (1.47) unstable; urgency=medium
+
+ * update-secureboot-policy: do better checking around DKMS
+ If we have DKMS modules installed:
+ + Check to see if a DKMS MOK key has been created and enrolled;
+ + Check that all the DKMS modules are signed with that key;
+ If successful, don't tell users to disable Secure Boot.
+ Closes: #1108278.
+ Add dependencies on openssl and kmod for shim-signed-common,
+ needed for implementing these check.
+
+ -- Steve McIntyre <[email protected]> Tue, 29 Jul 2025 18:40:14 +0100
+
shim-signed (1.46) unstable; urgency=medium
* No-change rebuild to upload source-only. Argh. :-/
diff -Nru shim-signed-1.46/debian/control shim-signed-1.47/debian/control
--- shim-signed-1.46/debian/control 2025-06-22 22:53:36.000000000 +0100
+++ shim-signed-1.47/debian/control 2025-07-29 18:21:12.000000000 +0100
@@ -40,7 +40,7 @@
Package: shim-signed-common
Multi-Arch: foreign
Architecture: all
-Depends: ${misc:Depends}, mokutil
+Depends: ${misc:Depends}, mokutil, openssl, kmod
Replaces: shim-signed (<< 1.32+15+1533136590.3beb971-5)
Breaks: shim-signed (<< 1.32+15+1533136590.3beb971-5)
Description: Secure Boot chain-loading bootloader (common helper scripts)
diff -Nru shim-signed-1.46/update-secureboot-policy
shim-signed-1.47/update-secureboot-policy
--- shim-signed-1.46/update-secureboot-policy 2019-05-25 02:26:08.000000000
+0100
+++ shim-signed-1.47/update-secureboot-policy 2025-07-29 18:40:14.000000000
+0100
@@ -26,6 +26,7 @@
secureboot_var=SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
moksb_var=MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
moksbstatert_var=MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23
+ dkms_mok_pubkey=/var/lib/dkms/mok.pub
action=disable
if [ $enable_sb -eq 1 ]; then
@@ -51,8 +52,55 @@
moksbstatert=$(od -An -t u1 $efivars/$moksbstatert_var | \
awk '{ print $NF; }')
fi
+
# poor man's xor
if [ $(($moksbstatert+$enable_sb)) -ne 1 ]; then
+
+ echo "$0: Checking status of DKMS module signing:" >&2
+
+ # We have DKMS and secure boot is enabled. Check to see if we
+ # have a DKMS key and if it's enrolled in MOK. If it is, we
+ # should be fine.
+ if [ -f $dkms_mok_pubkey ]; then
+ echo " [ OK ] System DKMS key found in $dkms_mok_pubkey" >&2
+ registered_ok=0
+
+ # Gran the serial number of the DKMS key
+ dkms_key=$(openssl x509 -in $dkms_mok_pubkey -text | \
+ awk '/Serial Number/ {getline;print tolower($1)}')
+
+ # And compare it to all the keys that MOK knows about -
+ # any match is good enough.
+ for mok_key in $(mokutil --list-enrolled | \
+ awk '/Serial Number/ {getline;print tolower($1)}'); do
+ if [ "$dkms_key"x = "$mok_key"x ]; then
+ echo " [ OK ] System DKMS key is registered via MOK" >&2
+ registered_ok=1
+ fi
+ done
+ if [ $registered_ok != 1 ]; then
+ echo " E: System's DKMS key is NOT installed in MOK." >&2
+ else
+ signed_ok=1
+ # Now check all the DKMS modules we can find are
+ # signed with this key.
+ for mod in $(find /var/lib/dkms/ -name '*.ko'); do
+ mod_key=$(modinfo $mod | awk '/sig_key:/ {print
tolower($2)}')
+ if [ "$mod_key"x != "$dkms_key"x ]; then
+ echo " E: $mod is not signed with the DKMS key" >&2
+ signed_ok=0
+ fi
+ done
+ if [ $signed_ok = 1 ]; then
+ echo " [ OK ] All DKMS modules signed with the DKMS key"
>&2
+ echo "All OK, nothing to do." >&2
+ return 0
+ else
+ echo " Some modules not signed with the DKMS key.
Rebuild?." >&2
+ fi
+ fi
+ fi
+
STATE=1
db_settitle shim/title/secureboot
while true; do
--- End Message ---
--- Begin Message ---
Unblocked shim-signed.
--- End Message ---
