Mailinglist Archive: opensuse-security (22 mails)

< Previous Next >
Re: [opensuse-security] signing custom kernel for secure boot
Am 29.03.2017 um 18:14 schrieb jsegitz@xxxxxxx:
On Wed, Mar 29, 2017 at 01:04:46PM +0200, Malte Gell wrote:
to bring pain to a new level I play with secure boot and want to get a
custom kernel run with secure boot. I read the SUSE how to from there:

https://en.opensuse.org/openSUSE:UEFI#Booting_a_custom_kernel

But, I am a bit confused, this guides signs vmlinuz, but not a single
module!?
DonĀ“t the kernel modules need to be signed as well?

For openSUSE kernels module loading is not restricted (for SLES it is)

Ok. I think this is no problem, there still is MODULE_SIG_FORCE to care
for signed modules.

And, do I understand correctly, MokManager.efi is signed with the
Microsoft KEK and writes my user key into the UEFI db key store? Thus,
MokManager.efi is a way to get user keys into UEFI db?

thanks

--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread
References