fails to sign kernel modules

Status changed to 'Confirmed' because the bug affects multiple users.

If you don't want to update the dkms package version, you can apply this patch to fix the problem

The attachment "dkms.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Installing the Kinetic Final image on a Secure Boot enabled laptop with Broadcom WiFi resulted in the WiFi adapter not being able to be turned on in the newly installed system. Doing "sudo modprobe wl" tells me "Key was rejected by service".

Also, I was able to manually sign the Broadcom kernel module with kmodsign and now it's accepted.

Worthy of note, to get the driver to build so I could sign it, I had to do "sudo dpkg-reconfigure bcmwl-kernel-source", then sign the resulting wl.ko file. So it looks like the driver isn't even building in the first place.

This bug has been reported on the Ubuntu ISO testing tracker.

A list of all reports related to this bug can be found here:
https://iso.qa.ubuntu.com/qatracker/reports/bugs/1991725

To workaround the issue by rebuilding and signing the driver manually:

1: Run "sudo dpkg-reconfigure bcmwl-kernel-source" to rebuild the driver.
2: Run "sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/5.19.0-21-generic/updated/dkms/wl.ko" to sign the driver.
3: Run "sudo modprobe wl" to load the driver. At this point the WiFi module should start working and you should be able to connect to WiFi.

Note that this assumes that the wl.ko module is at /lib/modules/5.19.0-21-generic/updated/dkms/wl.ko, however since the user probably hasn't managed to update their kernel yet, it's a safe bet that this is in fact where the module is.

I tried the new version and worked perfectly.

At the time of this writing, this fix is still stuck in -proposed. This makes the Lubuntu release notes wrong, as it makes it so that updating the system prior to installing WiFi drivers is not enough, even though it is documented as being enough. Considering that this fix very nearly was hotfixed into the Kinetic ISOs just before release, it might be helpful if this could be pushed through to -updates as soon as possible.

Ubuntu-SRU please release this one if possible, it is tested and working, and preventing people from building kernel modules.

When will the ISOs be correct?

BTW for those that don't have it, this is a solution:

https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655

There's a typo, though. The command should be:

sudo kmodsign sha512 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der /lib/modules/5.19.0-23-generic/updates/dkms/wl.ko

This bug was fixed in the package dkms - 3.0.6-2ubuntu2

---------------
dkms (3.0.6-2ubuntu2) kinetic; urgency=medium

  * Fix dkms signing regressions with cherry-picks from 3.0.7 upstream
    git. LP: #1991725
    - Reinstate enroll call, as it causes dpkg-trigger action during dpkg
    transaction to enroll newly created key, if it wasn't enrolled yet.

 -- Dimitri John Ledkov <email address hidden> Thu, 20 Oct 2022 12:34:29 +0100

Hello Mike, or anyone else affected,

Accepted dkms into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dkms/3.0.6-2ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Tested on my HP Elitebook 8570p, with Secure Boot and Broadcom WiFi, following the current test plan. All operations went as expected, WiFi is working properly.

@sil2100, since this bug is already 13 days old (when the package was really accepted), and its verified as working, can't we just promote it to proposed pocket?

@Gianfranco - this is why I added the verification-needed tags and was poking Aaron on IRC because I wanted confirmation that this update is verified. Previously I only got a written confirmation on IRC which I wanted to have here as the papertrail (+ the other comments on the bug were a bit confusing).

This bug was fixed in the package dkms - 3.0.6-2ubuntu2

---------------
dkms (3.0.6-2ubuntu2) kinetic; urgency=medium

  * Fix dkms signing regressions with cherry-picks from 3.0.7 upstream
    git. LP: #1991725
    - Reinstate enroll call, as it causes dpkg-trigger action during dpkg
    transaction to enroll newly created key, if it wasn't enrolled yet.

 -- Dimitri John Ledkov <email address hidden> Thu, 20 Oct 2022 12:34:29 +0100

The verification of the Stable Release Update for dkms has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

I've done similar steps to install nvidia drivers on ubuntu 22.10 with secure boot enabled but i didn't face mokutil

steps to reproduce

1-during installation i didn't install third party drivers

2-i updated the system then restart

3-i enabled the proposed repo and installed the updated "dkms" package (sudo apt install dkms)

4- disabled proposed repo and reboot

5-I installed the nvidia driver with gui (proprietary ,tested) and rebooted the system successfully and ubuntu. the nvidia driver is working

the problem is i didn't encounter mokutil during and after the installation of nvidia driver . (like creating password then after the reboot i enroll mok)

This issue is still valid in Ubuntu 23.04 with the virtualbox-dkms package. See bug report https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1992673 marked as a duplicate of this issue.