How to create Debian package for out-of-tree module that works with apt upgrade when secure boot is enabled

Question

We have created our own fpga driver for a target with Ubuntu 18.04 HWE kernel, running with secure boot enabled. This driver is signed and put into a Debian package like fpga-driver-5.3.0-42-generic_1.1_amd64.deb, and then we upload this driver to our custom Ubuntu package server. On our target we have a link to our package server in /etc/apt/source.list.d/ folder and we are able to install the driver with

sudo apt install fpga-driver-5.3.0-42-generic

If we upgrade our driver to fpga-driver-5.3.0-42-generic_1.2_amd64.deb, we can now run apt upgrade and all is fine as long as kernel version is the same.

From time to time the HWE kernel is stepped up and we rebuild the driver and create a new Debian package like fpga-driver-5.3.0-51-generic_1.2_amd64.deb. If we now run apt upgrade on target, everything else is updated, except our driver. We have to manually install it again to make it work, but this is not a good solution for the end user.

So the question is how should we do this to do it the 'Debian way'?

I'm aware of that from apt's point of view the package names are different (fpga-driver-5.3.0-42-generic vs fpga-driver-5.3.0-51-generic) so it don't understand that it should upgrade this package, but we must support more than one kernel.

We can't use dkms as most of the solutions on the web points to since we have to sign this driver to make it work under secure boot, and we must be able to upgrade kernel version.

Answer 1

The Debian way would be a meta package. This is just an empty package which depends on the current version of your driver. Everytime you upgrade your driver, you also set the dependencies of the meta package to your new package. A well know example is linux-image-amd64. This package points to the latest version of the kernel of your repository. Currently to linux-image-5.5.0-0.bpo.2-amd64 and a few days ago to linux-image-5.4.0-0.bpo.4-amd64.