(In reply to Joey Lee from comment #49) > (In reply to Michal Kube��ek from comment #11) > > Have you really checked that we actually have a problem with unsigned > > modules? > > > > We have > > > > CONFIG_MODULE_SIG=y > > CONFIG_MODULE_SIG_FORCE=n > > > > in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says > > > > Reject unsigned modules or signed modules for which we don't have a > > key. Without this, such modules will simply taint the kernel. > > > > so that loading an unsigned module (or module signed with an unknown key) > > should taint the kernel and write a warning into kernel log but the module > > should load anyway. > > For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has > a SUSE patch that it enable SIG_FORCE when secure boot be enabled. (In reply to Joey Lee from comment #49) > (In reply to Michal Kube��ek from comment #11) > > Have you really checked that we actually have a problem with unsigned > > modules? > > > > We have > > > > CONFIG_MODULE_SIG=y > > CONFIG_MODULE_SIG_FORCE=n > > > > in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says > > > > Reject unsigned modules or signed modules for which we don't have a > > key. Without this, such modules will simply taint the kernel. > > > > so that loading an unsigned module (or module signed with an unknown key) > > should taint the kernel and write a warning into kernel log but the module > > should load anyway. > > For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has > a SUSE patch that it enable SIG_FORCE when secure boot be enabled. The LOCK_DOWN_IN_EFI_SECURE_BOOT=n can be used to disable the connection between secure boot with kernel lock down mode. But that means we must maintain a Leap flavor kernel config.