On Sun, 08 Sep 2019 15:06:23 -0400 Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > Control: retitle 931440 dkms-built modules are not signed, do not work with > secureboot > Control: reassign 931440 dkms > Control: affects 931440 + wireguard-dkms src:wireguard > Control: tags 931440 + help > > Hi Lizard-- > > On Fri 2019-07-05 01:32:58 +0100, hello i'm a lizard wrote: > > The wireguard kernel module installed by wireguard-dkms doesn't appear to be > > signed and is therefore unusable on a secureboot system (without me figuring > > out how the whole mok key thing works and manually signing it myself). Since > > debian is building and packaging a signed kernel, could you also do this for > > this module? > > Debian doesn't ship binary modules for wireguard, so the modules that > you are (rightly) concerned about are built via dkms. > > I agree with the problem that you've described, but i think the same > problem is true for all modules built via dkms, so i'm reassigning this > bug report to dkms itself, as i think that's where the issue probably > needs to be addressed. > > Unfortunately, i'm not entirely sure how to address it -- how should a > secureboot system deal with these keys safely while still keeping a > rogue administrator from being able to install arbitrary modules? > > I'd appreciate any guidance from secureboot experts on the intersection > of secureboot and dkms here. > > Regards, > > --dkg
Hello, dkms v3 has automatic signing of modules, and v3.0.7 has it working for debian. For some reason it isn't signing while using apt, but is signing when I manually remove and add the modules. I infer signing is being done when it is shown in the output, which was not the case when I installed nvidia-driver. Thanks, Siddh
