Comment # 10 on bug 1209006 from 
(In reply to Michal Suchanek from comment #6)
> On Leap we don't need the secondary keyring at all, we have a downstream
> patch that loads the MOK keys into platform keyring, and verifies modules
> with platform keyring.
> 

On the other hand, as Michal mentioned, SLE/Leap applied downstream patch:

patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch

This patch allows modsign function mod_verify_sig() uses .platform keyring to
verify kernel module. We didn't have this patch in openSUSE Tumbleweed yet.

I have checked the following kernels from different distros, all of them are
applied the same downstream patch:

Ubuntu    ubuntu-stable-kinetic
              no CONFIG_INTEGRITY_MACHINE_KEYRING

CentOS Stream 9    kernel linux-5.14.0-214.el9.x86_64
              no CONFIG_INTEGRITY_MACHINE_KEYRING

Fedora 37   kernel-6.2.2-301.fc38.src.rpm
              CONFIG_INTEGRITY_MACHINE_KEYRING=y

Fedora 37 has set CONFIG_INTEGRITY_MACHINE_KEYRING, but it still applied
downstream patch to allow .platform keyring be used to verify kernel modules.

We can also apply this patch to openSUSE Tumbleweed, but this patch may never
be accepted by kernel upstream. Because in Eric Snowberg's "Add CA enforcement
keyring restrictions" solution, only CA in MOK can be put to .secondary
keyring.  Other non-CA MOKs still can not be used to verify kernel module. User
needs to use keyctl to add it to .secondary keyring after the CA MOK be added.

If we don't apply downstream patch and choice waiting Eric's solution is
accepted. Then the only solution is disabling secure boot currently.

You are receiving this mail because: