14 Jun
2023
14 Jun
'23
14:08
Hi Bruno, On Wed, Jun 14, 2023 at 08:39:33AM -0000, Bruno Pitrus wrote:
On your system you can do this. Your risk. SUSE can't do this, i.e. keeping the generated private key on the harddisk.
If i sign the compiled modules with the same key that is in the secureboot db (NOT the MOK), will the kernel trust them?
Upstream kernel only allows keys in db to be used to verify kexec images. We put downstream kernel patch to Tumbleweed kernel to allow db keys can be used to verify kernel module. But this expansion is only in kernel/module subsystem not in IMA. In the future, if the IMA-mok function for modsign is ready. We may remove this downstream patch because IMA is the official mechanism for handing integrity. Regards Joey Lee