On Tue, Mar 7, 2023 at 11:27 AM Bruno Pitrus <brunopitrus@hotmail.com> wrote:
Jiri Slaby wrote:
Trust me, if there is any widespread problem, I will revert the patchset from TW instantly. And let them retry later, when all is settled. Unfortunately without this trial phase, we cannot find out. Note that I'm not much in favor of this "functionality". BUt it's the way it is. We (open/SUSE) are required to have this so that MS will sign our shim. How does one load unsigned modules if one does not have shim installed?
Pragmatic answer - use shim :)
I use Dracut's unified kernel image functionality, which produces an .efi file containing kernel + initramfs + hardcoded boot options that is signed with a custom key.
This implies that you replaced the default PK/KEK with your custom certificates. In which case nothing prevents you from adding SUSE certificate to db to be used by the kernel to verify modules.
(Allowing the kernel to load an untrusted initramfs misses the point of Secure Boot completely).
And what's the point of enforcing verification of initrd but allowing untrusted kernel modules?
Do you perhaps know of an incantation that i can add to kernel_cmdline to disable lockdown?