https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c58 --- Comment #58 from Joey Lee <jlee@suse.com> --- (In reply to Joey Lee from comment #57) [...snip]

The SUSE patch be applied on old SLE kernel. For any new kernel after v5.2-rc1, Mimi Zohar's IMA patch puts the same logic to mainline kernel:

commit 8db5da0b8618df79eceea99672e205d4a2a6309e Author: Mimi Zohar <zohar@linux.ibm.com> Date: Sun Jan 27 19:03:45 2019 -0500

x86/ima: require signed kernel modules

[...snip]

But the logic only works with CONFIG_IMA_ARCH_POLICY=y. We didn't enable it on SLE/openSUSE. Which means that the SIG_FORCE should not be enabled when secure boot on SLE15-SP2 or LEAP 15.2.

On SLE15-SP2, the integrity lock-down mode be enabled when secure boot enabled. It only enable MODULE_SIG but I didn't see MODULE_SIG_FORCE.

I will use qemu-OVMF to look at the behavior again.

I just used the qemu-OVMF to confirm the behavior of MODULE_SIG_FORCE on SLE15-SP2: - When secure boot be disabled: A unsigned kernel module can be loaded but it will taint kernel. - When secure boot enabled. Unsigned kernel module can NOT be loaded, got permission deny. e.g. linux-npj3:~/tmp # insmod acer-wmi.ko insmod: ERROR: could not insert module acer-wmi.ko: Operation not permitted [ 73.282012] Lockdown: insmod: unsigned module loading is restricted; see man kernel_lockdown.7 After the lock-down patch set be merged to mainline. The logic of sig_force is more complicated because IMA involved. There have three ways to set the sig_force: - CONFIG_MODULE_SIG_FORCE=y Static kernel config for always deny unsigned module. SLE/Leap disabled CONFIG_MODULE_SIG_FORCE. - CONFIG_IMA_ARCH_POLICY=y + Secure_Boot_ON IMA architecture specific policy be set, and the secure boot be enabled. Then sig_force will be set. SLE/Leap disabled CONFIG_IMA_ARCH_POLICY. - When kernel is in Lock-down mode (INTEGRITY or CONFIDENTIALITY mode) SLE/Leap will lock-down on INTEGRITY mode when secure boot be enabled because we applied patch and set LOCK_DOWN_IN_EFI_SECURE_BOOT=y. When kernel is in lock-down mode, the sig_force will be set. For disabling sig_force, either we set LOCK_DOWN_IN_EFI_SECURE_BOOT=n in Leap kernel config. Or end user choice to disable secure boot in firmware. -- You are receiving this mail because: You are the assignee for the bug.