Tested on AWS instance with 6.8.0-1024-aws installed and ubuntu-drivers- common = 1:0.9.7.6ubuntu3.2 installed from noble-proposed
1. Add Nvidia Graphics Drivers (stable) "ppa:canonical-kernel-team/nvidia-graphics" with new nvidia drivers that do not have LRM created (true at the time of testing) 2. Run "ubuntu-drivers list" 3. Run "ubuntu-drivers list --include-dkms" 4. Observe correct installation of packages. The list with of packages shows extra entries: The PPA added in step 2 contains nvidia-driver-570 driver that is not yet in any form in Noble. calling cammand at #2 gives: nvidia-driver-550, (kernel modules provided by linux-modules-nvidia-550-aws) nvidia-driver-535, (kernel modules provided by linux-modules-nvidia-535-aws) nvidia-driver-470, (kernel modules provided by linux-modules-nvidia-470-aws) nvidia-driver-535-server, (kernel modules provided by linux-modules-nvidia-535-server-aws) nvidia-driver-470-server, (kernel modules provided by linux-modules-nvidia-470-server-aws) nvidia-driver-570-server-open, (kernel modules provided by linux-modules-nvidia-570-server-open-aws) nvidia-driver-550-open, (kernel modules provided by linux-modules-nvidia-550-open-aws) nvidia-driver-535-open, (kernel modules provided by linux-modules-nvidia-535-open-aws) nvidia-driver-570-server, (kernel modules provided by linux-modules-nvidia-570-server-aws) nvidia-driver-535-server-open, (kernel modules provided by linux-modules-nvidia-535-server-open-aws) All drivers are listed as "provided by linux-modules-nvidia-" packages so our LRM signed modules. the top of the list shows nvidia-driver-550 and there is no mention of 570. Calling command #3 gives: nvidia-driver-570-open, (kernel modules provided by nvidia-dkms-570-open) nvidia-driver-550, (kernel modules provided by linux-modules-nvidia-550-aws) nvidia-driver-535, (kernel modules provided by linux-modules-nvidia-535-aws) nvidia-driver-470, (kernel modules provided by linux-modules-nvidia-470-aws) nvidia-driver-570, (kernel modules provided by nvidia-dkms-570) nvidia-driver-535-server, (kernel modules provided by linux-modules-nvidia-535-server-aws) nvidia-driver-470-server, (kernel modules provided by linux-modules-nvidia-470-server-aws) nvidia-driver-570-server-open, (kernel modules provided by linux-modules-nvidia-570-server-open-aws) nvidia-driver-550-open, (kernel modules provided by linux-modules-nvidia-550-open-aws) nvidia-driver-535-open, (kernel modules provided by linux-modules-nvidia-535-open-aws) nvidia-driver-570-server, (kernel modules provided by linux-modules-nvidia-570-server-aws) nvidia-driver-535-server-open, (kernel modules provided by linux-modules-nvidia-535-server-open-aws) with --include-dkms the top position is occupied by nvidia- driver-570-open that is provided by nvidia-dkms-570-open. This is a DKMs package that has no signed LRM packages yet. ** Tags removed: verification-needed-noble ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to ubuntu-drivers-common in Ubuntu. https://bugs.launchpad.net/bugs/2090924 Title: introduce --include-dkms optional flag Status in ubuntu-drivers-common package in Ubuntu: Fix Released Status in ubuntu-drivers-common source package in Jammy: New Status in ubuntu-drivers-common source package in Noble: Fix Committed Status in ubuntu-drivers-common source package in Oracular: Fix Released Status in ubuntu-drivers-common source package in Plucky: Fix Released Bug description: [ Impact ] listing available drivers shows nvidia drivers that match the current hardware installed, but it contains both drivers that are LRM prepared and the ones that are DKMS only. This can happen in a time window between releasing new drivers and respining LRM modules with these drivers. A user can therefore select a driver that is DKMS only, which will break secure boot, as signed drivers are provided in LRM package. A fix is to introduce a flag '--include-dkms' that when not enabled will make u-d-c not show nvidia drivers that have no LRM [ Steps to reproduce ] 1. Add a PPA with nvidia-drivers that are not yet LRM prepared, in my case 2. Call 'ubuntu-drivers list' 3. observe the list of packages that is installed a typical list would llook like this: nvidia-driver-560-open, (kernel modules provided by nvidia-dkms-560-open) nvidia-driver-550, (kernel modules provided by linux-modules-nvidia-550-aws) nvidia-driver-535, (kernel modules provided by linux-modules-nvidia-535-aws) nvidia-driver-470, (kernel modules provided by linux-modules-nvidia-470-aws) First entry shows 'kernel modules provided by nvidia-dkms-560-open', while all the others have: 'kernel modules provided by linux-modules- nvidia-470-aws'. when a user chooses to install 560-open, by hand by providing the version or by using '--recommended', his system will have a broken Secure Boot as nvidia drivers are not signed. [ Test plan ] 1. simulate the issue by adding a PPa with a driver line that is not yet LRM prepare, in my case it's https://launchpad.net/~kuba-t-pawlak/+archive/ubuntu/nvidia-560 2. Call 'ubuntu-drivers list' with and without '--include-dkms' [ Expected result ] without '--include-dkms' the list of available drivers should not contain any entry that has (kernel modules provided by nvidia-dkms-YYY-ZZZ) in it, only the ones with (kernel modules provided by linux-modules-nvidia-XXX-YYY) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-drivers-common/+bug/2090924/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
