[kernel-bugs] [Bug 1173158] CONFIG_MODULE_SIG=y
https://bugzilla.suse.com/show_bug.cgi?id=1173158
https://bugzilla.suse.com/show_bug.cgi?id=1173158#c54
--- Comment #54 from Joey Lee
(In reply to Michal Kubeček from comment #11)
Have you really checked that we actually have a problem with unsigned modules?
We have
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=n
in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says
Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel.
so that loading an unsigned module (or module signed with an unknown key) should taint the kernel and write a warning into kernel log but the module should load anyway.
For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has a SUSE patch that it enable SIG_FORCE when secure boot be enabled.
(In reply to Joey Lee from comment #49)
(In reply to Michal Kubeček from comment #11)
Have you really checked that we actually have a problem with unsigned modules?
We have
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=n
in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says
Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel.
so that loading an unsigned module (or module signed with an unknown key) should taint the kernel and write a warning into kernel log but the module should load anyway.
For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has a SUSE patch that it enable SIG_FORCE when secure boot be enabled.
The LOCK_DOWN_IN_EFI_SECURE_BOOT=n can be used to disable the connection between secure boot with kernel lock down mode. But that means we must maintain a Leap flavor kernel config. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com