[opensuse-kernel] openSUSE Tumbleweed will receive signed modules
Hi, we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future. The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work. As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all. thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 2 March 2018 at 15:44, Jiri Slaby <jslaby@suse.cz> wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
thanks, -- js suse labs
Awesome! thanks Jiri -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Fri, 2 Mar 2018 16:08:20 +0100 Richard Brown <RBrownCCB@opensuse.org> wrote:
On 2 March 2018 at 15:44, Jiri Slaby <jslaby@suse.cz> wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
On the other hand, for people who test on Leap we should probably preserve an unsigned flavor or provide a separate repo built against Leap. Thanks Michal -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 03/02/2018, 04:13 PM, Michal Suchánek wrote:
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
On the other hand, for people who test on Leap we should probably preserve an unsigned flavor or provide a separate repo built against Leap.
Sorry, I don't understand now -- what would be the purpose? Or are you replying to the Kernel:* signing by SUSE keys part? That would only change from Kernel:* keys (not in any FW) to SUSE keys (in FW or shim or wherever it is). thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi, On Fri, Mar 02, 2018 at 03:44:20PM +0100, Jiri Slaby wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Fri, 02 Mar 2018 16:38:15 +0100, Marcus Meissner wrote:
Hi,
On Fri, Mar 02, 2018 at 03:44:20PM +0100, Jiri Slaby wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
Isn't the situation as same as on SLED? Takashi -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 03/02/2018, 04:45 PM, Takashi Iwai wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
Isn't the situation as same as on SLED?
BTW are we not signing KMPs provided by us? thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Fri, 02 Mar 2018 17:37:33 +0100, Jiri Slaby wrote:
On 03/02/2018, 04:45 PM, Takashi Iwai wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
Isn't the situation as same as on SLED?
BTW are we not signing KMPs provided by us?
I thought we do. Takashi -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
02.03.2018 20:05, Takashi Iwai пишет:
On Fri, 02 Mar 2018 17:37:33 +0100, Jiri Slaby wrote:
On 03/02/2018, 04:45 PM, Takashi Iwai wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
Isn't the situation as same as on SLED?
BTW are we not signing KMPs provided by us?
I thought we do.
nVidia KMP is compiled on user system, not delivered and installed as binary. -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On Fri, 02 Mar 2018 18:33:11 +0100, Andrei Borzenkov wrote:
02.03.2018 20:05, Takashi Iwai пишет:
On Fri, 02 Mar 2018 17:37:33 +0100, Jiri Slaby wrote:
On 03/02/2018, 04:45 PM, Takashi Iwai wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
Isn't the situation as same as on SLED?
BTW are we not signing KMPs provided by us?
I thought we do.
nVidia KMP is compiled on user system, not delivered and installed as binary.
Right. But it's not "provided by us", so a different story :) Takashi -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
Hi, On 03/02/2018, 04:38 PM, Marcus Meissner wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
I do not plan to disable loading of unsigned modules (I don't want MODULE_SIG_FORCE). The kernel will just spit on those users, the same it does now for out-of-tree modules. thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On 03/02/2018, 04:47 PM, Jiri Slaby wrote:
Hi,
On 03/02/2018, 04:38 PM, Marcus Meissner wrote:
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them.
I do not plan to disable loading of unsigned modules (I don't want MODULE_SIG_FORCE). The kernel will just spit on those users, the same it does now for out-of-tree modules.
I.e. the same as on SLE: SLE15:config/x86_64/default:CONFIG_MODULE_SIG=y SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_FORCE is not set SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_ALL is not set SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_SHA1 is not set SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_SHA224 is not set SLE15:config/x86_64/default:CONFIG_MODULE_SIG_SHA256=y SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_SHA384 is not set SLE15:config/x86_64/default:# CONFIG_MODULE_SIG_SHA512 is not set SLE15:config/x86_64/default:CONFIG_MODULE_SIG_HASH="sha256" SLE15:config/x86_64/default:CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
On vendredi, 2 mars 2018 15.44:20 h CET Jiri Slaby wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
As said before, wonderfull, and awesome. If all external binary (like nvidia, and other I don't know) are still working it's even better. I would recommend a small news.o.o article, first to bright in the shine, and also explain why some user (like I will) will find some message from the kernel about their unsigned modules. My secret hope is avoiding a yet another bikeshredding thread in -factory ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch Bareos Partner, openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (7)
-
Andrei Borzenkov -
Bruno Friedmann -
Jiri Slaby -
Marcus Meissner -
Michal Suchánek -
Richard Brown -
Takashi Iwai