https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c57 --- Comment #57 from Joey Lee <jlee@suse.com> --- (In reply to Joey Lee from comment #49)

(In reply to Michal Kubeček from comment #11)

...

Have you really checked that we actually have a problem with unsigned modules?

We have

CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=n

in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says

Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel.

so that loading an unsigned module (or module signed with an unknown key) should taint the kernel and write a warning into kernel log but the module should load anyway.

For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has a SUSE patch that it enable SIG_FORCE when secure boot be enabled.

Sorry! I want to update the above comment. The SUSE patch be applied on old SLE kernel. For any new kernel after v5.2-rc1, Mimi Zohar's IMA patch puts the same logic to mainline kernel: commit 8db5da0b8618df79eceea99672e205d4a2a6309e Author: Mimi Zohar <zohar@linux.ibm.com> Date: Sun Jan 27 19:03:45 2019 -0500 x86/ima: require signed kernel modules Have the IMA architecture specific policy require signed kernel modules on systems with secure boot mode enabled; and coordinate the different signature verification methods, so only one signature is required. Requiring appended kernel module signatures may be configured, enabled on the boot command line, or with this patch enabled in secure boot mode. This patch defines set_module_sig_enforced(). To coordinate between appended kernel module signatures and IMA signatures, only define an IMA MODULE_CHECK policy rule if CONFIG_MODULE_SIG is not enabled. A custom IMA policy may still define and require an IMA signature. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Luis Chamberlain <mcgrof@kernel.org> Acked-by: Jessica Yu <jeyu@kernel.org> But the logic only works with CONFIG_IMA_ARCH_POLICY=y. We didn't enable it on SLE/openSUSE. Which means that the SIG_FORCE should not be enabled when secure boot on SLE15-SP2 or LEAP 15.2. On SLE15-SP2, the integrity lock-down mode be enabled when secure boot enabled. It only enable MODULE_SIG but I didn't see MODULE_SIG_FORCE. I will use qemu-OVMF to look at the behavior again. -- You are receiving this mail because: You are on the CC list for the bug.