FS#52446 - [linux] RFE: enable kernel module signing

Attached to Project: Arch Linux
Opened by Damjan Georgievski (damjan) - Sunday, 08 January 2017, 17:39 GMT
Last edited by Jelle van der Waa (jelly) - Saturday, 05 January 2019, 14:42 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

My suggestion is to enable, by default, Kernel module signing. That is, the following options in the kernel:

CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_ALL=y
CONFIG_MODULE_SIG_SHA512=y

This change by default doesn't affect users in any way, but allows them if they want to enforce that only signed modules are loaded by using the `enforcemodulesig=1` kernel option.



For reference:
* the kernel docs https://static.lwn.net/kerneldoc/admin-guide/module-signing.html
* also the gentoo wiki has it well explained https://wiki.gentoo.org/wiki/Signed_kernel_module_support
This task depends upon

Closed by  Jelle van der Waa (jelly)
Saturday, 05 January 2019, 14:42 GMT
Reason for closing:  Implemented
Additional comments about closing:  CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y

Loading...