Installation is broken in case custom SecureBoot keys is used (no shim-signed package is installed)

[vbaskoff]

Hi All,

My environment is:

[$]> lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.5 LTS
Release:        22.04
Codename:       jammy

[$]> dpkg -l | egrep -w '(grub|dkms|shim|displaylink|evdi)'
ii  displaylink-driver                             6.1.0-17                                       amd64        DisplayLink Driver Software provides production quality support for DisplayLink USB 3.0 devices on specific variants of desktop Ubuntu Linux.
ii  dkms                                           2.8.7-2ubuntu2.2                               all          Dynamic Kernel Module Support Framework
ii  evdi                                           1.14.8-133                                     amd64        Extensible Virtual Display Interface (EVDI) is a Linux® kernel module that enables management of multiple screens.
ii  grub-common                                    2.06-2ubuntu7.2                                amd64        GRand Unified Bootloader (common files)
ii  grub-efi-amd64                                 2.06-2ubuntu14.4                               amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii  grub-efi-amd64-bin                             2.06-2ubuntu14.4                               amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
rc  shim-signed                                    1.51.3+15.7-0ubuntu1                           amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)

My SecureBoot configuration is totally hardened and use certificates issued by own PKI, so no microsoft or any vendor certificates are involved in chain.

I use built-in DKMS hook to auto-sign modules by proper key on install.

[$]> grep -v '#' /etc/dkms/framework.conf 
verbose="5"
sign_tool="/opt/sb/sbin/dkms-sign-helper.sh"

[$]> sudo cat /opt/sb/sbin/dkms-sign-helper.sh
#!/bin/bash
/lib/modules/"${1}"/build/scripts/sign-file \
                                             sha512                                        \
                                             /etc/keys/db.key \
                                             /etc/keys/db.der \
                                             "${2}"

In context of such configuration of the OS I have no need to have shim-signed package installed, so no 'update-secureboot-policy' command is available.

It totally brakes logic of this function https://github.com/DisplayLink/evdi/blob/main/module/dkms_install.sh#L26-L36
Because it rely on unconditional presence of "update-secureboot-policy --enroll-key" command in case 'mokutil' reports that SecureBoot is enabled.

In result this error appears on every evdi module upgrade at my system

evdi/module/dkms_install.sh

Line 62 in 2da2704

error "Failed to enroll SecureBoot key."

[$]>  set -x
[$]> enroll_secureboot_key()
{
  if command -v mokutil >/dev/null && mokutil --sb-state | grep -i "SecureBoot enabled" > /dev/null; then
    update-secureboot-policy --enroll-key 2> /dev/null || return

    if [[ -z $EVDI_REBOOT_RATIONALE && $(mokutil --list-new | wc -l) -gt 0 ]]; then
      EVDI_REBOOT_RATIONALE="SecureBoot key was enrolled during the installation."
    fi
  fi
  return 0
}

[$]>   if ! enroll_secureboot_key; then
    error "Failed to enroll SecureBoot key."
    return 1
  fi
+ enroll_secureboot_key
+ command -v mokutil
+ mokutil --sb-state
+ grep --color=auto -i 'SecureBoot enabled'
+ update-secureboot-policy --enroll-key
+ return
+ error 'Failed to enroll SecureBoot key.'
bash: error: command not found
+ return 1

As workaround I patch dkms_install.sh on every update, in order to get this 'if block' commented

evdi/module/dkms_install.sh

Line 61 in 2da2704

if ! enroll_secureboot_key; then

SUGGESTION: Is it possible to adjust logic of enroll_secureboot_key() not to fail in case no 'update-secureboot-policy' command is available or DKMS hook is configured?