Bug#996461: nvidia-kernel-dkms: DKMS tree already contains: nvidia-current-470.74

Sat Nov 20 08:48:02 GMT 2021

On 2021-10-17 11:57, Andreas Beckmann wrote:
> Control: severity -1 normal
> 
> On 15/10/2021 19.42, Drew Parsons wrote:
>> I guess that reference to bss_file.c must be a clue, if not the 
>> reference to the missing /root/dkms.key >
>> The 470.74/5.14.0-2 make.log in the error message shows no errors 
>> itself, but the last line is
>> "Signing /var/lib/dkms/nvidia-current/470.74/build/nvidia.ko"
> 
> I think there are two bugs at work here and both are out of the scope
> of the nvidia driver.
> 
> 1. Signing the kernel module fails. That's probably your local
> configuration that activates it, or do we have packages adding support
> for that now? I've never looked into signing the kernel module.

I've set my computer with MOK signing so that the modules can load after 
booting with Secure Boot, following the instructions at 
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key

I'm not certain if that's the same signing that's causing the problem 
here.  I use nvidia in bumblebee mode (primusrun). That was a little 
flakey, so in practice I signed the modules manually after upgrades to 
be sure they were signed.

> Can you send me your signing bits (and instructions how to generate a
> key) s.t. I can try to rebuild that setup in a chroot in order to
> reproduce the bug?

There are more signing instructions at 
https://wiki.debian.org/SecureBoot#Using_your_key_to_sign_modules

I created /root/mok.priv and /root/mok.der

The script I've been using to sign the modules manually is
------------------------------------
cd /lib/modules
for mdir in */updates/dkms; do
   cd $mdir
   # get kernel version major.minor
   kernel_version=$( echo $mdir | sed "s/\(.*\..*\)\..*/\1/" )
   echo "signing modules for kernel ${kernel_version} in $PWD"
   for k in *.ko; do
     /usr/lib/linux-kbuild-${kernel_version}/scripts/sign-file sha256 
/root/mok.priv /root/mok.der $k
     echo "  $k"
   done
   cd /lib/modules
done
-----------------------------------

That's still working, signing my last nvidia build. The modules on my 
system that get signed are
   bbswitch.ko
   nvidia-current-drm.ko
   nvidia-current-modeset.ko
   nvidia-current-peermem.ko
   nvidia-current-uvm.ko
   nvidia-current.ko

> 2. dkms getting some hickup after the package configuration failed
> (due to the signing failure) and not properly reinitializing on the
> next attempt. (The relevant maintainer script bits should all come
> from dh_dkms.)

Agreed, it sounds like that's what's happened.  There was a problem at 
some point (perhaps in the experimental package), and it hasn't been 
able to recover.

The problem is still current, by the way, with 470.86-1
Should I try a complete nvidia purge and reinstall, or would it be 
useful to keep my computer in a broken state for further debugging?

Drew