[kernel-bugs] [Bug 1173158] CONFIG_MODULE_SIG=y
https://bugzilla.suse.com/show_bug.cgi?id=1173158
https://bugzilla.suse.com/show_bug.cgi?id=1173158#c57
--- Comment #57 from Joey Lee
(In reply to Michal Kubeček from comment #11)
Have you really checked that we actually have a problem with unsigned modules?
We have
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_FORCE=n
in Leap 15.2 kernel and the help text for CONFIG_MODULE_SIG_FORCE says
Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel.
so that loading an unsigned module (or module signed with an unknown key) should taint the kernel and write a warning into kernel log but the module should load anyway.
For upstream kernel, yes! But on SLE and LEAP (inherit from SLE), kernel has a SUSE patch that it enable SIG_FORCE when secure boot be enabled.
Sorry! I want to update the above comment.
The SUSE patch be applied on old SLE kernel. For any new kernel after v5.2-rc1,
Mimi Zohar's IMA patch puts the same logic to mainline kernel:
commit 8db5da0b8618df79eceea99672e205d4a2a6309e
Author: Mimi Zohar
participants (1)
-
bugzilla_noreply@suse.com