Ubuntu
acpi-call package

MOK not asked upon installation of acpi-call-dkms

Bug #1872213 reported by Guillaume Michaud
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
acpi-call (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When installing acpi-call-dkms in Ubuntu 20.04 with secure boot enable, a password (MOK) is asked.
However, this password is not asked upon reboot... Therefore the key is not enrolled and the acpi_call cannot be used : "modprobe: ERROR: could not insert 'acpi_call': Operation not permitted"
Disabling secure boot (of course) solves the problem.
I noticed that after installing acpi-call-dkms and before rebooting, "sudo mokutil --list-new" says that "MokNew is empty".

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: acpi-call-dkms 1.1.0-5
ProcVersionSignature: Ubuntu 5.4.0-21.25-generic 5.4.27
Uname: Linux 5.4.0-21-generic x86_64
ApportVersion: 2.20.11-0ubuntu26
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: ubuntu:GNOME
Date: Sat Apr 11 18:25:19 2020
InstallationDate: Installed on 2020-04-11 (0 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Beta amd64 (20200409)
PackageArchitecture: all
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=fr_FR.UTF-8
 SHELL=/bin/bash
SourcePackage: acpi-call
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Guillaume Michaud (gfmichaud) wrote :
Revision history for this message
Guillaume Michaud (gfmichaud) wrote :

Manually executing
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
then rebooting and enrolling the key solved the problem.
But I guess that should have been done automatically?

Revision history for this message
Raphaël Halimi (raph) wrote :

Hi,

thanks for the report.

I admit that, since I didn't own an UEFI machine until recently, I never looked in the secure boot process.

Now that I do, I need to determine if this signature is supposed to be done by the packages modules themselves, by DKMS once and for all, or manually by the user.

In the meantime, could you tell me if you manually created /var/lib/shim-signed/mok/MOK.der or if it was done by some package at some point ?

The documents I read about secure boot on Debian seem to indicate that this certificate must be created by the user, and since there's no "standard" place to do that, I don't see how I could automate this in the package scripts.

Regards,

--
Raphaël

Revision history for this message
Guillaume Michaud (gfmichaud) wrote :

I did not create the /var/lib/shim-signed/mok/MOK.der key : I only located it using "locate *.der".
I guess some package created it (though "dpkg -S" knows nothing about it).

Revision history for this message
Raphaël Halimi (raph) wrote :

Mmmh, a search through sources.debian.net indicates that this path is mentioned in the source code of packages dkms and virtualbox.

https://codesearch.debian.net/search?q=%2Fvar%2Flib%2Fshim-signed%2Fmok%2FMOK.der

I guess that DKMS creates the certificate, and VirtualBox seems able to use it.

I will see if I can do the same with acpi-call, but it's too late for Focal.

Maybe the package could be backported once it will be synchronized from Debian Sid.

In the meantime I'll let the bug report open.

Thanks for your help !

Revision history for this message
Raphaël Halimi (raph) wrote :

After seeing into the process of signing DKMS modules, I confirm that creating the keys and configuring DKMS to sign modules after building is not configured in the modules packages.

Closing the bug as invalid.

Changed in acpi-call (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.