Verification-done on trusty: dkms/2.2.0.3-1.1ubuntu5.14.04.10
I've installed bbswitch on a test UEFI system, upgraded the kernel to a newer version (ie. linux-image-hwe-trusty-generic) and was still able to load the module in; the module in the updates/dkms directory for the kernel version is clearly a signed copy. ubuntu@ubuntu:~$ dpkg -l dkms shim-signed | cat Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-=============================================-============-============================================================== ii dkms 2.2.0.3-2ubuntu11.6 all Dynamic Kernel Module Support Framework ii shim-signed 1.33.1~16.04.4+15+1533136590.3beb971-0ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary) [ 173.890220] usbcore: registered new interface driver asic0x [ 356.605416] bbswitch: version 0.7 [ 356.605431] bbswitch: Found integrated VGA device 0000:00:02.0: \_SB_.PCI0.VID_ [ 356.605443] bbswitch: No discrete VGA device found ** Tags removed: verification-needed verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to dkms in Ubuntu. https://bugs.launchpad.net/bugs/1772950 Title: dkms key enrolled in mok, but dkms module fails to load Status in dkms package in Ubuntu: Fix Released Status in dkms source package in Trusty: Fix Committed Status in dkms source package in Xenial: Fix Committed Status in dkms source package in Bionic: Fix Released Bug description: [Impact] All Ubuntu users for whom Secure Boot is enabled. [Test cases] 1) install dkms module (use virtualbox-dkms for example) 2) Upgrade kernel (for example, install 4.15.0-22-generic on top of 4.15.0-20-generic). 3) Verify that the generated module for the new kernel (4.15.0-22-generic in this example) is built and signed by verifying that the file in /lib/modules/$kernel/updates/dkms/$module.ko ends in ~Module signature appended~: $ hexdump -Cv /lib/modules/4.15.0-22-generic/updates/dkms/vboxdrv.ko | tail -n 100 [...] ~Module signature appended~ 4) Reboot 5) modprobe -v the module. It should not respond "Required key not available", and should return with no error. 6) Verify that dkms does not contain PKCS#7 errors. [Regression potential] Possible regressions involve failure to sign and/or be able to load modules after updates: failure to sign leading to a module being built but unsigned after a new kernel is installed or after a new DKMS module is installed, failure to load modules after reboot (usually caused by module being unsigned); failure to sign due to missing keys, signature key not being automatically slated for enrollment. All these potential regression scenarios present as failure to load a DKMS module after a reboot when it should be loaded successfully. --- At my last reboot, I was prompted to enable SecureBoot, so I did. When I booted, however, I noticed that the virtualbox service failed to start because it couldn't load its kernel module. If I attempt the same thing, I see that there's an issue with keys: $ sudo modprobe vboxdrv modprobe: ERROR: could not insert 'vboxdrv': Required key not available I do have keys enrolled; `mokutil --list-enrolled` produces http://paste.ubuntu.com/p/rntTQr5XJV/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dkms/+bug/1772950/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
