FS#52446 - [linux] RFE: enable kernel module signing
Attached to Project:
Arch Linux
Opened by Damjan Georgievski (damjan) - Sunday, 08 January 2017, 17:39 GMT
Last edited by Jelle van der Waa (jelly) - Saturday, 05 January 2019, 14:42 GMT
Opened by Damjan Georgievski (damjan) - Sunday, 08 January 2017, 17:39 GMT
Last edited by Jelle van der Waa (jelly) - Saturday, 05 January 2019, 14:42 GMT
|
Details
My suggestion is to enable, by default, Kernel module
signing. That is, the following options in the kernel:
CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y CONFIG_MODULE_SIG_SHA512=y This change by default doesn't affect users in any way, but allows them if they want to enforce that only signed modules are loaded by using the `enforcemodulesig=1` kernel option. For reference: * the kernel docs https://static.lwn.net/kerneldoc/admin-guide/module-signing.html * also the gentoo wiki has it well explained https://wiki.gentoo.org/wiki/Signed_kernel_module_support |
This task depends upon
Closed by Jelle van der Waa (jelly)
Saturday, 05 January 2019, 14:42 GMT
Reason for closing: Implemented
Additional comments about closing: CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
Saturday, 05 January 2019, 14:42 GMT
Reason for closing: Implemented
Additional comments about closing: CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y