Comment # 54 on bug 1173158 from 
(In reply to Joey Lee from comment #49)
> (In reply to Michal Kube��ek from comment #11)
> > Have you really checked that we actually have a problem with unsigned
> > modules?
> > 
> > We have
> > 
> >   CONFIG_MODULE_SIG=y
> >   CONFIG_MODULE_SIG_FORCE=n
> > 
> > in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says
> > 
> >     Reject unsigned modules or signed modules for which we don't have a
> >     key.  Without this, such modules will simply taint the kernel.
> > 
> > so that loading an unsigned module (or module signed with an unknown key)
> > should taint the kernel and write a warning into kernel log but the module
> > should load anyway.
> 
> For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has
> a SUSE patch that it enable SIG_FORCE when secure boot be enabled.

(In reply to Joey Lee from comment #49)
> (In reply to Michal Kube��ek from comment #11)
> > Have you really checked that we actually have a problem with unsigned
> > modules?
> > 
> > We have
> > 
> >   CONFIG_MODULE_SIG=y
> >   CONFIG_MODULE_SIG_FORCE=n
> > 
> > in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says
> > 
> >     Reject unsigned modules or signed modules for which we don't have a
> >     key.  Without this, such modules will simply taint the kernel.
> > 
> > so that loading an unsigned module (or module signed with an unknown key)
> > should taint the kernel and write a warning into kernel log but the module
> > should load anyway.
> 
> For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has
> a SUSE patch that it enable SIG_FORCE when secure boot be enabled.

The LOCK_DOWN_IN_EFI_SECURE_BOOT=n can be used to disable the connection
between secure boot with kernel lock down mode. But that means we must maintain
a Leap flavor kernel config.

You are receiving this mail because: