AUR (en) - arch-sign-modules

Search Criteria

Enter search criteria

Search by

Keywords

Out of Date

Sort by

Sort order

Per page

Package Details: arch-sign-modules 0.7.3-1

Package Actions

Git Clone URL:	https://aur.archlinux.org/arch-sign-modules.git (read-only, click to copy)
Package Base:	arch-sign-modules
Description:	Signed (In Tree & Out of Tree) Kernel Modules for linux linux-lts linux-hardened linux-zen + AUR kernels
Upstream URL:	https://github.com/itoffshore/Arch-SKM
Keywords:	kernel modules signed
Licenses:	MIT
Submitter:	itoffshore
Maintainer:	itoffshore
Last Packager:	itoffshore
Votes:	4
Popularity:	0.030497
First Submitted:	2020-05-23 20:34 (UTC)
Last Updated:	2024-04-26 19:43 (UTC)

Dependencies (6)

git (git-git^AUR)
python-zstandard
rsync (rsync-git^AUR, rsync-reflink^AUR, rsync-reflink-git^AUR)
mousepad (mousepad-git^AUR) (optional) – default gui editor
nano (nano-git^AUR, orbiton-nano) (optional) – default editor
pacman-contrib (pacman-contrib-git^AUR) (optional)

Required by (0)

Sources (1)

arch-sign-modules-0.7.3.tar.gz

Latest Comments

« First ‹ Previous 1 2 3

EternalFlameIV commented on 2023-09-04 12:45 (UTC)

Hello - I've been trying to get Digimend properly signed on linux-xanmod, but for some reason the kernel refuses to acknowledge the modules as signed:

[ +11.101242] usb 1-3: new full-speed USB device number 6 using xhci_hcd
[  +0.133763] usb 1-3: New USB device found, idVendor=256c, idProduct=006d, bcdDevice= 1.11
[  +0.000005] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  +0.000001] usb 1-3: Product: Huion Tablet
[  +0.000001] usb 1-3: Manufacturer: HUION
[  +0.001593] hid-generic 0003:256C:006D.0009: hiddev1,hidraw4: USB HID v1.10 Device [HUION Huion Tablet] on usb-0000:00:14.0-3/input0
[  +0.041569] input: HUION Huion Tablet as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.1/0003:256C:006D.000A/input/input40
[  +0.053220] hid-generic 0003:256C:006D.000A: input,hidraw6: USB HID v1.10 Device [HUION Huion Tablet] on usb-0000:00:14.0-3/input1
[  +0.765175] hid_uclogic: loading out-of-tree module taints kernel.
[  +0.000008] hid_uclogic: **module verification failed: signature and/or required key missing - tainting kernel**
[  +0.027304] input: HUION Huion Tablet as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:256C:006D.0009/input/input41
[  +0.000247] input: HUION Huion Tablet Pad as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:256C:006D.0009/input/input42
[  +0.000179] input: HUION Huion Tablet Touch Strip as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:256C:006D.0009/input/input43
[  +0.000186] input: HUION Huion Tablet Dial as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:256C:006D.0009/input/input44
[  +0.000181] uclogic 0003:256C:006D.0009: input,hidraw4: USB HID v1.10 Keypad [HUION Huion Tablet] on usb-0000:00:14.0-3/input0
[  +0.032870] uclogic 0003:256C:006D.000A: No inputs registered, leaving
[  +0.000068] uclogic 0003:256C:006D.000A: hidraw6: USB HID v1.10 Device [HUION Huion Tablet] on usb-0000:00:14.0-3/input1

Weirdly enough, I seem to have no problems with nvidia-dkms, which loads fine and does not throw a "signature verification failed" error at me.

[  +0.000054] nvidiafb 0000:02:00.0: enabling device (0000 -> 0003)
[  +0.000116] nvidiafb: Device ID: 10de1c92 
[  +0.000002] nvidiafb: unknown NV_ARCH
[  +1.225871] nvidia: module license 'NVIDIA' taints kernel.
[  +0.000003] Disabling lock debugging due to kernel taint
[  +0.000002] nvidia: module license taints kernel.
[  +0.009492] nvidia-nvlink: Nvlink Core is being initialized, major device number 507
[  +0.000004] NVRM: loading NVIDIA UNIX x86_64 Kernel Module  535.104.05  Sat Aug 19 01:15:15 UTC 2023
[  +0.138677] nvidia_uvm: module uses symbols nvUvmInterfaceDisableAccessCntr from proprietary module nvidia, inheriting taint.
[  +0.229354] nvidia-uvm: Loaded the UVM driver, major device number 505.
[  +0.022023] nvidia-modeset: Loading NVIDIA Kernel Mode Setting Driver for UNIX platforms  535.104.05  Sat Aug 19 00:59:57 UTC 2023
[  +0.011041] [drm] [nvidia-drm] [GPU ID 0x00000200] Loading driver
[  +0.018296] ACPI Warning: \_SB.PCI0.RP05.PEGP._DSM: Argument #4 type mismatch - Found [Buffer], ACPI requires [Package] (20230331/nsarguments-61)
[  +0.611591] [drm] Initialized nvidia-drm 0.0.0 20160202 for 0000:02:00.0 on minor 1

My /etc/dkms and /var/lib/dkms look fine, if very slightly messy:

$ ls -l /etc/dkms/*
lrwxrwxrwx 1 root root   26 Aug 20 08:19 /etc/dkms/digimend-kernel-drivers.conf -> /etc/dkms/kernel-sign.conf
-rw-r--r-- 1 root root 1534 May  7 08:24 /etc/dkms/framework.conf
-rw-r--r-- 1 root root  209 Sep  4 00:45 /etc/dkms/kernel-sign.conf
-rwxr-xr-x 1 root root  425 Sep  4 00:45 /etc/dkms/kernel-sign.sh
lrwxrwxrwx 1 root root   26 Aug 20 08:19 /etc/dkms/nvidia.conf -> /etc/dkms/kernel-sign.conf

/etc/dkms/framework.conf.d:
total 0

$ ls -l /var/lib/dkms/*
-rw------- 1 root root 1704 Jul 10  2022 /var/lib/dkms/mok.key
-rw-r--r-- 1 root root  811 Jul 10  2022 /var/lib/dkms/mok.pub

/var/lib/dkms/digimend-kernel-drivers:
total 8
drwxr-xr-x 5 root root 4096 Sep  4 07:25 11.r1.geca6e1b
lrwxrwxrwx 1 root root   38 May 25 12:49 kernel-6.3.3-zen1-1-zen-x86_64 -> 11.r1.geca6e1b/6.3.3-zen1-1-zen/x86_64
lrwxrwxrwx 1 root root   38 Sep  4 07:25 kernel-6.4.12-arch1-1.1-x86_64 -> 11.r1.geca6e1b/6.4.12-arch1-1.1/x86_64
lrwxrwxrwx 1 root root   46 Sep  4 07:25 kernel-6.4.14-skylake-xanmod1-1-x86_64 -> 11.r1.geca6e1b/6.4.14-skylake-xanmod1-1/x86_64
drwxr-xr-x 3 root root 4096 Aug 20 20:48 original_module

/var/lib/dkms/nvidia:
total 8
drwxr-xr-x 5 root root 4096 Sep  4 07:15 535.104.05
lrwxrwxrwx 1 root root   34 Aug 31 16:39 kernel-6.4.11-arch2-1.1-x86_64 -> 535.104.05/6.4.11-arch2-1.1/x86_64
lrwxrwxrwx 1 root root   34 Aug 31 16:43 kernel-6.4.12-arch1-1.1-x86_64 -> 535.104.05/6.4.12-arch1-1.1/x86_64
lrwxrwxrwx 1 root root   42 Sep  4 07:15 kernel-6.4.14-skylake-xanmod1-1-x86_64 -> 535.104.05/6.4.14-skylake-xanmod1-1/x86_64
drwxr-xr-x 4 root root 4096 Aug 31 16:39 original_module

The modules in /lib/modules/${kernver}/updates/dkms also seem signed:

$ ls /lib/modules/6.4.14-skylake-xanmod1-1/updates/dkms
hid-kye.ko  hid-polostar.ko  hid-uclogic.ko  hid-viewsonic.ko  nvidia-drm.ko  nvidia.ko  nvidia-modeset.ko  nvidia-peermem.ko  nvidia-uvm.ko
$ modinfo /lib/modules/6.4.14-skylake-xanmod1-1/updates/dkms/* | grep signer
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key

Is there something special about these modules that makes the kernel not like them? Is more work just needed to support more DKMS packages?

PrfStrwberry commented on 2022-10-20 09:53 (UTC) (edited on 2022-10-29 23:50 (UTC) by PrfStrwberry)

I will try it right away. Thank you!

EDIT: It works. Thank you!!

UPDATE 30/10/2022: actually none of my dkms modules get signed.

I didn't have the time, to run arch in a while. Today I came back and I am greeted with a black screen, when I select xanmod. I have also tried linux with the force module sign kernel argument.

When I remove the kernel boot parameter, the linux kernel boots without a problem. For the xanmod kernel I don"t even have the kernel parameter enabled.

I checked and none of the dkms modules are signed, even though the abk script is running without any problems.

What am I doing wrong? I might just give up and disable secureboot.

itoffshore commented on 2022-10-17 16:35 (UTC) (edited on 2022-10-19 19:12 (UTC) by itoffshore)

@PrfStrwberry - abk -i will look for packages in whatever you have configured in /etc/makepkg.conf for PKGDEST.

linux-xanmod support added in the current 0.5.2 version.
For others building AUR kernels see the AUR Kernel Notes for issues I noticed when testing abk.

I ==> Finished making: linux-xanmod 6.0.2-1 (Wed 19 Oct 2022 01:04:25 BST) - perhaps you could test the signed Nvidia module ? (I normally use an AMD GPU in Arch / Nvidia in a vm)

PrfStrwberry commented on 2022-10-17 05:19 (UTC)

Could you help me with my problem? I am trying to build linux-xanmod from aur and I need nvidia-dkms. So what I am doing is as follows:

I git clone from aur linux-xanmod into ~/kernelbuild folder, as suggested by Arch.

I then abk -u linux-xanmod, copy the code from the example to the PKGBUILD.

Then I do abk -b linux-xanmod.

It builds until the genkeys.py is called from the script. It cannot find the 'current ' folder. So what I do, is running genkeys.py -c myself. Now the 'current' folder exists and building continues.

After building it says log can be read at: and there is just an empty output. Anyway it finished, so on to the next step.

abk -i linux-xanmod

The linux-xanmod package does not exist.

So I am trying makepkg -si and I can install it, but when I restart into linux-xanmod, I just get a grey screen. I assume it's because nvidia-dkms is not booting with secure boot.

The linux kernel with nvidia-dkms and secure boot works flawless though.

afader commented on 2022-05-08 23:22 (UTC)

Got it working, thanks for the help & for maintaining this package!

itoffshore commented on 2022-05-07 19:37 (UTC) (edited on 2022-05-07 19:37 (UTC) by itoffshore)

@afader - sounds like maybe an issue with your dkms config. This is what my /etc/dkms looks like:

-rw-r--r-- 1 root root 1.1K Dec 17 10:25 framework.conf
-rw-r--r-- 1 root root  209 May  4 17:37 kernel-sign.conf
-rwxr-xr-x 1 root root  425 May  4 17:37 kernel-sign.sh
lrwxrwxrwx 1 root root   26 May  4 20:55 lkrg.conf -> /etc/dkms/kernel-sign.conf
lrwxrwxrwx 1 root root   26 May  4 19:26 nvidia.conf -> /etc/dkms/kernel-sign.conf
lrwxrwxrwx 1 root root   26 May  4 19:26 zfs.conf -> /etc/dkms/kernel-sign.conf

I have noticed in the past dkms upgrades have left /var/lib/dkms in need of tidying up. My /var/lib/dkms/* looks like:

/var/lib/dkms/lkrg:
total 8.0K
drwxr-xr-x 1 root root 92 May  4 21:37 0.9.3
lrwxrwxrwx 1 root root 26 May  4 21:33 kernel-5.15.37-1-lts-x86_64 -> 0.9.3/5.15.37-1-lts/x86_64                                                                                            
lrwxrwxrwx 1 root root 40 May  4 21:37 kernel-5.17.5-hardened1-1-hardened-x86_64 -> 0.9.3/5.17.5-hardened1-1-hardened/x86_64

/var/lib/dkms/nvidia:
total 12K
drwxr-xr-x 1 root root 148 May  5 17:04 510.68.02
lrwxrwxrwx 1 root root  30 May  5 17:03 kernel-5.15.37-1-lts-x86_64 -> 510.68.02/5.15.37-1-lts/x86_64                                                                                       
lrwxrwxrwx 1 root root  44 May  5 17:03 kernel-5.17.5-hardened1-1-hardened-x86_64 -> 510.68.02/5.17.5-hardened1-1-hardened/x86_64
drwxr-xr-x 1 root root  56 May  5 17:04 original_module

/var/lib/dkms/zfs:
total 8.0K
drwxr-xr-x 1 root root 92 May  4 21:37 2.1.4
lrwxrwxrwx 1 root root 26 May  4 21:33 kernel-5.15.37-1-lts-x86_64 -> 2.1.4/5.15.37-1-lts/x86_64                                                                                            
lrwxrwxrwx 1 root root 40 May  4 21:37 kernel-5.17.5-hardened1-1-hardened-x86_64 -> 2.1.4/5.17.5-hardened1-1-hardened/x86_64

I've just rebuilt linux-hardened-5.17.5 with version 0.3.3

My modules live under /lib/modules/5.17.5-hardened1-1-hardened/updates/dkms

icp.ko.zst         nvidia-modeset.ko.zst  p_lkrg.ko.zst  zcommon.ko.zst  znvpair.ko.zst
nvidia-drm.ko.zst  nvidia-peermem.ko.zst  spl.ko.zst     zfs.ko.zst      zunicode.ko.zst
nvidia.ko.zst      nvidia-uvm.ko.zst      zavl.ko.zst    zlua.ko.zst     zzstd.ko.zst

& are all signed:

modinfo /lib/modules/5.17.5-hardened1-1-hardened/updates/dkms/* | grep Local
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key
signer:         Local Out of tree kernel module signing key

I did catch a bug or two with the latest updates - perhaps try the latest version ?

afader commented on 2022-05-07 19:03 (UTC)

Possibly my own fault from trying to get this to work with the previous manual steps and previous iteration of the package, but when I install this and run the various prescribed akb commands, while it builds the linux-hardened kernel, it renders my nvidia-dkms broken and then when I build with mkinitcpio I do not get nvidia modules.