diff -Nru dkms-2.2.0.3/debian/changelog dkms-2.2.0.3/debian/changelog --- dkms-2.2.0.3/debian/changelog 2016-09-15 21:25:48.000000000 +0000 +++ dkms-2.2.0.3/debian/changelog 2019-01-28 16:05:49.000000000 +0000 @@ -1,3 +1,17 @@ +dkms (2.2.0.3-1.1ubuntu5.14.04.10) trusty; urgency=medium + + * debian/patches/shim_secureboot_support.patch: + - Move to signing just after module build to ensure it correctly applies + at kernel update times. (LP: #1772950) + - Generate a new MOK if there isn't one yet, and use that so sign + newly-built kernel modules. (LP: #1748983) + * debian/control: Breaks: shim-signed (<< 1.33.1~14.04.4) to ensure both + are updated in lock-step since the changes above require a new version of + update-secureboot-policy to correctly generate the new MOK and enroll it + in firmware. + + -- Mathieu Trudel-Lapierre Mon, 28 Jan 2019 11:05:49 -0500 + dkms (2.2.0.3-1.1ubuntu5.14.04.9) trusty; urgency=medium * apport_name_in_valueerror.diff: (LP: #1588479) diff -Nru dkms-2.2.0.3/debian/control dkms-2.2.0.3/debian/control --- dkms-2.2.0.3/debian/control 2014-01-15 11:55:33.000000000 +0000 +++ dkms-2.2.0.3/debian/control 2019-01-28 16:05:39.000000000 +0000 @@ -23,6 +23,7 @@ Recommends: fakeroot, menu | sudo Suggests: dpkg-dev, debhelper +Breaks: shim-signed (<< 1.33.1~14.04.4) Description: Dynamic Kernel Module Support Framework DKMS is a framework designed to allow individual kernel modules to be upgraded without changing the whole kernel. It is also very easy to rebuild modules as diff -Nru dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch --- dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch 2016-05-20 18:49:43.000000000 +0000 +++ dkms-2.2.0.3/debian/patches/shim_secureboot_support.patch 2018-11-13 17:41:35.000000000 +0000 @@ -1,6 +1,6 @@ From: Mathieu Trudel-Lapierre +Date: Wed, 28 Dec 2016 20:03:01 +0800 Subject: Add support for UEFI Secure Boot validation toggling through shim -Last-Update: 2016-01-11 This allows one to install third-party drivers and still have their system work (albeit without full Secure Boot validation), automatizing the step @@ -9,19 +9,55 @@ Users still have the possibility to notice this and skip the step, thus not disabling Secure Boot (but then, they will not be able to load the dkms drivers that were added). - --- - dkms_common.postinst | 3 +++ - 1 file changed, 3 insertions(+) + dkms | 19 +++++++++++++++++++ + dkms_common.postinst | 2 ++ + 2 files changed, 21 insertions(+) +Index: b/dkms +=================================================================== +--- a/dkms ++++ b/dkms +@@ -1265,10 +1265,29 @@ clean_build() + rm -rf "$dkms_tree/$module/$module_version/build/*" + } + ++sign_build() ++{ ++ local base_dir="$dkms_tree/$module/$module_version/$kernelver/$arch" ++ if type update-secureboot-policy >/dev/null 2>&1; then ++ echo $"Signing module:" ++ SHIM_NOTRIGGER=y update-secureboot-policy --new-key ++ for ko in `find "$base_dir/module/" -name "*.ko" -print`; ++ do ++ echo " - $ko" ++ kmodsign sha512 \ ++ /var/lib/shim-signed/mok/MOK.priv \ ++ /var/lib/shim-signed/mok/MOK.der \ ++ "$ko" ++ done ++ update-secureboot-policy --enroll-key ++ fi ++} ++ + build_module() + { + prepare_build + do_build ++ sign_build + clean_build + echo $"" + echo $"DKMS: build completed." Index: b/dkms_common.postinst =================================================================== --- a/dkms_common.postinst +++ b/dkms_common.postinst -@@ -293,3 +293,6 @@ for KERNEL in $KERNELS; do - fi - done +@@ -6,6 +6,8 @@ + + set -e + ++. /usr/share/debconf/confmodule ++ + uname_s=$(uname -s) -+if type update-secureboot-policy >/dev/null 2>&1; then -+ update-secureboot-policy || true -+fi + _get_kernel_dir() {