Andrei Borzenkov wrote:
On Tue, Mar 7, 2023 at 11:27 AM Bruno Pitrus brunopitrus@hotmail.com wrote:
How does one load unsigned modules if one does not have shim installed? Pragmatic answer - use shim :) Does a kernel know it is being loaded through shim instead of directly and behave differently? I use Dracut's unified kernel image functionality, which produces an .efi file containing kernel + initramfs + hardcoded boot options that is signed with a custom key. This implies that you replaced the default PK/KEK with your custom certificates. In which case nothing prevents you from adding SUSE certificate to db to be used by the kernel to verify modules. The SUSE certificates are irrelevant on Tumbleweed. The Nvidia modules are not signed there, as they are built locally. (Allowing the kernel to load an untrusted initramfs misses the point of Secure Boot completely). And what's the point of enforcing verification of initrd but allowing untrusted kernel modules? Where would you pull an “untrusted” kernel module from? By the time we can load any non-boot-essential modules, we already have trusted that system. I am using full disk encryption on that computer. The initrd is the only thing that could be actually modified without knowing the key, as it needs to be placed in an unencrypted partition. Secure Boot prevents that.