{"id":13437276,"url":"https://github.com/dell/dkms","last_synced_at":"2025-05-14T21:08:13.178Z","repository":{"id":39649725,"uuid":"45621270","full_name":"dell/dkms","owner":"dell","description":"Dynamic Kernel Module Support","archived":false,"fork":false,"pushed_at":"2025-04-10T14:43:49.000Z","size":1876,"stargazers_count":719,"open_issues_count":51,"forks_count":164,"subscribers_count":40,"default_branch":"main","last_synced_at":"2025-04-10T16:00:49.274Z","etag":null,"topics":["dkms"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2015-11-05T15:45:11.000Z","updated_at":"2025-04-10T09:17:31.000Z","dependencies_parsed_at":"2024-02-13T21:54:00.590Z","dependency_job_id":"a61ce0be-f22a-445a-b7b0-9bcd76efc4af","html_url":"https://github.com/dell/dkms","commit_stats":null,"previous_names":[],"tags_count":138,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dell%2Fdkms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dell%2Fdkms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dell%2Fdkms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dell%2Fdkms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dell","download_url":"https://codeload.github.com/dell/dkms/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248750009,"owners_count":21155682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dkms"],"created_at":"2024-07-31T03:00:55.620Z","updated_at":"2025-04-13T16:53:34.565Z","avatar_url":"https://github.com/dell.png","language":"Shell","funding_links":[],"categories":["HarmonyOS","Shell"],"sub_categories":["Windows Manager"],"readme":"# Dynamic Kernel Module System (DKMS)\n\nThis intention of this README is to explain how DKMS can be used in conjunction with tarballs which contain a dkms.conf file within them.\n\nThe DKMS project (and any updates) can be found at: https://github.com/dell/dkms\n\n\n## Installation\n\nInstallation is performed from the source directory with one of the following commands:\n\n```\nmake install\nmake install-debian\nmake install-redhat\n```\n\nDistribution specific installations (RPM, DEB, etc.) are not contained in this source repository.\n\n\n## Installation of DKMS Tarballs\n\nDKMS can install directly from the following:\n\n1. Generic module source tarballs which contain a dkms.conf file\n2. Specially created DKMS tarballs with module source, pre-built module binaries and a `dkms.conf` file\n3. Specially created DKMS tarballs with pre-built module binaries and a `dkms.conf` file\n4. Manual placement of module source and `dkms.conf` file into `/usr/src/\u003cmodule\u003e-\u003cmoduleversion\u003e/` directory\n\nIn order to load any tarball into the DKMS tree, you must use the following command:\n\n```\n# dkms ldtarball /path/to/dkms_enabled.tar.gz\n```\n\nThis command will first inspect the tarball to ensure that it contains a `dkms.conf` configuration file for that module.\nIf it cannot find this file anywhere within the archive, then the `ldtarball` command will fail.\n\nFrom here, it will place the source in the tarball into `/usr/src/\u003cmodule\u003e-\u003cmoduleversion\u003e/`.\nIf source already exists in the directory, it will not overwrite it unless the `--force` option is specified.\nIf the tarball is of type \"c\" above and does not contain source, it will only continue to load the tarball if existing module source is found in `/usr/src/\u003cmodule\u003e-\u003cmoduleversion\u003e/` or if the `--force` option is specified.\n\nContinuing on, if the tarball is of type \"b\" or \"c\" it will then load any pre-built binaries found within the tarball into the DKMS tree, but will stop short of installing them.\nThus, all pre-built binaries will then be of in the *built* state when checked from the `dkms status` command.  You can then use the `dkms install` command to install any of these binaries.\n\nTo create a tarball of type \"1\" above, you need only to take module source and a `dkms.conf` file for that module and create a tarball from them.\nTarballs of type *2* or type *3* are created with the `dkms mktarball` command.\nTo create a type *3* tarball, you must specify the flag `--binaries-only` along with the `mktarball` command.\n\n### Installation on Systems with no Module Source and/or Compiler\n\nIf you choose not to load module source on your system or if you choose not to load a compiler such as gcc onto your system, DKMS can still be used to install modules.\nIt does this through use of DKMS binary only tarballs as explained in this README under tarballs of type *c*.\n\nIf your system does not have module source, loading the dkms tarball will fail because of this.\nTo avoid this, use the `--force` flag, as such:\n\n```\n# dkms ldtarball /path/to/dkms_enabled.tar.gz --force\n```\n\nThis will load the pre-built binaries into the dkms tree, and create the directory `/usr/src/\u003cmodule\u003e-\u003cmoduleversion\u003e/` which will only contain the module's `dkms.conf` configuration file.\nOnce the tarball is loaded, you can then use `dkms install` to install any of the pre-built modules.\n\nOf course, since the module source will not be located in your DKMS tree, you will not be able to build any modules with DKMS for this package.\n\n\n## Module signing\n\nBy default, DKMS generates a self signed certificate for signing modules at build time and signs every module that it builds before it gets compressed in the configured kernel compression mechanism of choice.\n\nPrivate key and certificate are auto generated the first time DKMS is run and placed in `/var/lib/dkms`.\nThese certificate files can be pre-populated with your own certificates of choice.\n\nThe location as well can be changed by setting the appropriate variables in `/etc/dkms/framework.conf`.\nFor example, to allow usage of the system default Ubuntu `update-secureboot-policy` set the configuration file as follows:\n\n```\nmok_signing_key=\"/var/lib/shim-signed/mok/MOK.priv\"\nmok_certificate=\"/var/lib/shim-signed/mok/MOK.der\"\n```\n\nNOTE: If any of the files specified by `mok_signing_key` and `mok_certificate` are non-existant, DKMS will re-create both files.\n\nThe paths specified in `mok_signing_key`, `mok_certificate` and `sign_file` can use the variable `${kernelver}` to represent the target kernel version.\n\n```\nsign_file=\"/lib/modules/${kernelver}/build/scripts/sign-file\"\n```\n\nThe variable `mok_signing_key` can also be a `pkcs11:...` string for a [PKCS#11 engine](https://www.rfc-editor.org/rfc/rfc7512), as long as the `sign_file` program supports it.\n\n### Code Signing extended key usage validation\n\nYour kernel might be patched and compiled with the option `CONFIG_CHECK_CODESIGN_EKU` to assist with compliance to the NIAP Protection Profile for General Purpose Operating Systems.\nPage 35 of [version 4.3 of the specification](https://www.niap-ccevs.org/protectionprofiles/469) states:\n\n```\n* The OS shall validate the extendedKeyUsage field according to the following rules:\n  * Certificates used for trusted updates and executable code integrity\n    verification shall have the Code Signing Purpose (id-kp 3 with OID\n    1.3.6.1.5.5.7.3.3) in the extendedKeyUsage field.\n```\n\nSo from DKMS 3.1.7 the MOK self signed certificate is now generated with the `extendedKeyUsage` set to `codeSigning`.\nThis requires version *1.1.1 or newer* of the `openssl` command to be present on the system.\n\nIn case your system is validating the extended key usage and you have autogenerated keys from a DKMS version prior to 3.1.7, the keys need to be regenerated.\nFor example, assuming the default configuration:\n\n```\n# rm -fr /var/lib/dkms/mok.{key,pub}\n# dkms generate_mok\nSigning key: /var/lib/dkms/mok.key\nPublic certificate (MOK): /var/lib/dkms/mok.pub\n```\n\n\n## Secure Boot\n\nOn an UEFI system with Secure Boot enabled, modules require signing (as described in the above paragraph) before they can be loaded and the firmware of the system must know the correct public certificate to verify the module signature.\n\nFor importing the MOK certificate make sure `mokutil` is installed.\n\nTo check if Secure Boot is enabled:\n\n```\n# mokutil --sb-state\nSecureBoot enabled\n```\n\nWith the appropriate key material on the system, enroll the public key:\n\n```\n# mokutil --import /var/lib/dkms/mok.pub\n```\n\nYou'll be prompted to create a password. Enter it twice, it can also be blank.\n\nReboot the computer. At boot you'll see the MOK Manager EFI interface:\n\n![SHIM UEFI key management](/images/mok-key-1.png)\n\nPress any key to enter it, then select \"Enroll MOK\":\n\n![Perform MOK management](/images/mok-key-2.png)\n\nThen select \"Continue\":\n\n![Enroll MOK](/images/mok-key-3.png)\n\nAnd confirm with \"Yes\" when prompted:\n\n![Enroll the key(s)?](/images/mok-key-4.png)\n\nAfter this, enter the password you set up with `mokutil --import` in the\nprevious step:\n\n![Enroll the key(s)?](/images/mok-key-5.png)\n\nAt this point you are done, select \"OK\" and the computer will reboot trusting\nthe key for your modules:\n\n![Perform MOK management](/images/mok-key-6.png)\n\nAfter reboot, you can inspect the MOK certificates with the following command:\n\n```\n# mokutil --list-enrolled | grep DKMS\n        Subject: CN=DKMS module signing key\n```\n\nTo check the signature on a built DKMS module that is installed on a system:\n\n```\n# modinfo dkms_test | grep ^signer\nsigner:         DKMS module signing key\n```\n\nThe module can now be loaded without issues.\n\n### MOK certificate encryption algorithm\n\nUEFI specification 2.11 [contains a list of valid encryption keys](https://uefi.org/specs/UEFI/2.11/37_Secure_Technologies.html#encryption-algorithm-properties) for the MOK certificate.\nThe list is quite limited, basically offering only RSA as a valid key type.\nFor maximum compatibility, DKMS generates the MOK certificate with a *2048 bit RSA key with SHA-2 256 as a digest*.\n\n\n## Further Documentation\n\nOnce DKMS is installed, you can reference its man page for further information on different DKMS options and also to understand the formatting of a module's `dkms.conf` configuration file.\n\nThe DKMS project is located at: https://github.com/dell/dkms\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdell%2Fdkms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdell%2Fdkms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdell%2Fdkms/lists"}