LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key

Bug #1918134 reported by Andy Whitcroft on 2021-03-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Andy Whitcroft
Bionic
Medium
Andy Whitcroft
Focal
Medium
Andy Whitcroft
Groovy
Medium
Andy Whitcroft
Hirsute
Medium
Andy Whitcroft
linux-restricted-modules (Ubuntu)
Medium
Andy Whitcroft
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
Groovy
Undecided
Unassigned
Hirsute
Medium
Andy Whitcroft

Bug Description

To allow decoupling of nvidia-graphics-drivers-<version> streams and versions from the underlying kernel versions we wish to be able to sign new kernel modules into an existing kernel after the fact. Under bug #1898716 we added support for an Ubuntu Modules signing key certificate. Rebuild the LRM package to make use of this new signature.

This involves splitting the LRM package into three. linux-restricted-modules first builds the nvidia-graphics-drivers-* we require signed. linux-restricted-generate then consumes the .o's produced in that build and forms a signing custom binary upload for this. linux-restricted-signatures then consumes the signing result from the LRG upload and expresses clean redistributible signatures which are consumed by LRM at installation time. LRG must be embargoed as it (necessarily) generates fully formed .ko files for signing.

Additional process is added to the kernel build life-cycle to handle the privacy requirements of the LRG/LRS interaction.

CVE References

Andy Whitcroft (apw) wrote :

We will also need to ensure master kernels have updated dkms-build and dkms-build--nvidia-N as we will sync those into the new linux-restricted-modules packages and break them.

Changed in linux-restricted-modules (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.11.0-11.12+1

---------------
linux-restricted-modules (5.11.0-11.12+1) hirsute; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

 -- Andy Whitcroft <email address hidden> Mon, 08 Mar 2021 15:14:35 +0000

Changed in linux-restricted-modules (Ubuntu):
status: In Progress → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.11.0-13.14

---------------
linux (5.11.0-13.14) hirsute; urgency=medium

  * CVE-2020-27170
    - bpf: Prohibit alu ops for pointer types not defining ptr_limit
    - bpf, selftests: Fix up some test_verifier cases for unprivileged

  * CVE-2020-27171
    - bpf: Fix off-by-one for area size in creating mask to left

 -- Andrea Righi <email address hidden> Fri, 19 Mar 2021 16:49:32 +0100

Changed in linux (Ubuntu):
status: In Progress → Fix Released
Andy Whitcroft (apw) on 2021-04-07
Changed in linux (Ubuntu Bionic):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Focal):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Groovy):
assignee: nobody → Andy Whitcroft (apw)
importance: Undecided → Medium
status: New → In Progress
Andy Whitcroft (apw) wrote :

I have tested installing linux-modules-nvidia-460 on each of groovy:linux, focal:linux, and bionic:linux, confirming that each assembles (passing the sha256 checks) and inserts (failing to find hardware).

@tseliot has tested this also on his Nvidia hardware with good results.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.4.0-71.79+1

---------------
linux-restricted-modules (5.4.0-71.79+1) focal; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (5.4.0-71.79) focal; urgency=medium

  * Master version: 5.4.0-71.79

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 16:06:26 +0200

Changed in linux-restricted-modules (Ubuntu Focal):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 5.8.0-49.55+1

---------------
linux-restricted-modules (5.8.0-49.55+1) groovy; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (5.8.0-49.55) groovy; urgency=medium

  * Master version: 5.8.0-49.55

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 15:53:36 +0200

Changed in linux-restricted-modules (Ubuntu Groovy):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-restricted-modules - 4.15.0-141.145+1

---------------
linux-restricted-modules (4.15.0-141.145+1) bionic; urgency=medium

  * LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key
    (LP: #1918134)
    - [Packaging] convert to v4 autogen form

linux-restricted-modules (4.15.0-141.145) bionic; urgency=medium

  * Master version: 4.15.0-141.145

  * Packaging resync (LP: #1786013)
    - [Packaging] resync dkms-build and family

  * Miscellaneous Ubuntu changes
    - debian/dkms-versions -- update from master

 -- Stefan Bader <email address hidden> Wed, 07 Apr 2021 16:13:40 +0200

Changed in linux-restricted-modules (Ubuntu Bionic):
status: New → Fix Released
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Stefan Bader (smb) on 2021-04-14
Changed in linux (Ubuntu Groovy):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-groovy' to 'verification-done-groovy'. If the problem still exists, change the tag 'verification-needed-groovy' to 'verification-failed-groovy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-groovy

I confirm that with the recent changes synced back to groovy linux packaging the installation of linux-modules-nvidia-460-generic can be performed successfully. The driver is built and the module fails to load due to lack of hardware as expected.

Tested with:

$ uname -r
5.8.0-51-generic

tags: added: verification-done-groovy
removed: verification-needed-groovy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers