Bug#996461: nvidia-kernel-dkms: DKMS tree already contains: nvidia-current-470.74
Drew Parsons
dparsons at debian.org
Sat Nov 20 09:31:10 GMT 2021
On 2021-11-20 10:03, Drew Parsons wrote:
...
> sign-file itself is working, and working with my MOK keys.
>
> When dkms runs, it evidently triggers sign-file, invoking
> /root/dkms.key
...
> So I see 2 questions here:
> 1) what is making the dkms scripts invoke sign-file ?
> 2) what is making them invoke sign-file with /root/dkms.key ?
2) is easily answered, from the dkms package,
$ cat /etc/dkms/sign_helper.sh
#!/bin/sh
/lib/modules/"$1"/build/scripts/sign-file sha512 /root/dkms.key
/root/dkms.der "$2"
1) is also easy to answer after probing dkms.
/usr/share/doc/dkms/README.md.gz provides Secure Boot signing
instructions, including uncommenting
sign_tool="/etc/dkms/sign_helper.sh"
in /etc/dkms/framework.conf
It is uncommented on my system.
From one perspective looks like this is a documentation bug with
discrepancy between dkms documentation and
https://wiki.debian.org/SecureBoot. Or perhaps dkms expects to have its
own dkms.key, distinct from any MOK.der you might also create.
I see 3 workarounds
1) create a symlink from dkms.key to mok.priv and dkms.der to mok.der.
2) Create a separate dkms.key. Not so convenient to have 2 keys though
(though I could just stop using mok.der)
3) Comment out sign_tool in /etc/dkms/framework.conf, and sign manually.
A little inelegant for dkms, but otherwise easy.
1) or 3) would seem simplest to do, but strangely neither of them fixes
the final problem. Still gives the same error, "DKMS tree already
contains: nvidia-current-470.86. You cannot add the same module/version
combo more than once."
Not sure if it would work after nvidia purge/reinstall. Or if it needs a
reboot.
I'll try 2). dkms is supposed to work on its own after all.
More information about the pkg-nvidia-devel
mailing list