search

andreyv / sbupdate

Generate and sign kernel images for UEFI Secure Boot on Arch Linux
GNU General Public License v3.0
225 stars 20 forks source link

Updating DKMS modules in initramfs doesn't trigger update #44

Closed darrellenns closed 2 years ago

darrellenns commented 3 years ago

If a DKMS module is included in the initramfs (via MODULES= in mkinitcpio.conf) and the DKMS module is update, sbupdate hooks are not triggered. Here is an example scenario:

When nvidia-dkms is updated to a newer version, pacman automatically runs dkms install followed by mkinitcpio. However, sbupdate is not run (this can be verified by observing that the signed EFI file is older than the initramfs).

dnelson commented 3 years ago

I haven't tried it, but it seems like this could be solved using the same technique described in the Arch wiki for automatically rebuilding the initial ramdisk.

darrellenns commented 2 years ago

I've worked around it by adding "Target = nvidia-dkms" to /usr/share/libalpm/hooks/95-sbupdate.hook. There are already hooks for intel-ucode and amd-ucode in that file. Ideally, there should be a way to trigger it any time mkinitcpio is run (rather than on specific packages), but without running it twice when pacman does a kernel update. Maybe a combination of a hook that runs whenever mkinitcpio runs and a cli option to not regenerate/re-sign the .efi file if it is already newer than the kernel and initramfs.

darrellenns commented 2 years ago

A more generic workaround might be to change the path triggers in 95-sbupdate.hook to the following:

Target = usr/lib/modules/*/vmlinuz
Target = usr/lib/initcpio/*
Target = usr/src/*/dkms.conf
Target = usr/lib/modules/*/build/include/
Target = usr/lib/modules/*/modules.alias

These are the triggers from 90-mkinitcpio-install.hook and 70-dkms-install.hook, so they should cause sbupdate to trigger whenever dkms triggers or mkinitcpio runs.

However, I've found another issue. It seems that with either this solution or the "Target=nvidia-dkms" solution, the alpm hooks are run in the wrong order. It's running sbupdate before it runs mkinitcpio:

:: Running post-transaction hooks...
(1/4) Arming ConditionNeedsUpdate...
(2/4) Install DKMS modules
==> dkms install --no-depmod -m nvidia -v 470.74 -k 5.14.11-arch1-1
==> depmod 5.14.11-arch1-1
(3/4) Updating UEFI kernel images...
Generating and signing linux-signed.efi
warning: data remaining[74356736 vs 74366930]: gaps between PE/COFF sections?
warning: data remaining[74356736 vs 74366936]: gaps between PE/COFF sections?
Signing Unsigned original image
(4/4) Update Nvidia module in initcpio
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'default'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.14.11-arch1-1
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: xhci_pci
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
  -> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: qat_4xxx
  -> Running build hook: [btrfs]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux.preset: 'fallback'
  -> -k /boot/vmlinuz-linux -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.14.11-arch1-1
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [keyboard]
==> WARNING: Possibly missing firmware for module: xhci_pci
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: aic94xx
==> WARNING: Possibly missing firmware for module: wd719x
  -> Running build hook: [sd-encrypt]
==> WARNING: Possibly missing firmware for module: qat_4xxx
  -> Running build hook: [btrfs]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: /boot/initramfs-linux-fallback.img
==> Image generation successful

I'm not sure why this is. According to alpm-hooks, the hooks are run in alphabetical order, which should mean that the sbupdate hook runs after any dkms/mkinitcpio stuff. It might be a bug in libalpm.

darrellenns commented 2 years ago

Never mind the hook order thing - I just needed my custom nvidia hook to run before sbupdate (fixed by renaming nvidia.hook to 94-nvidia.hook).

I'll create a pull request for the proposed target fix.