FS#75041 - [linux][config] kernel module signing with the Machine Owner Key on Secure Boots setups using shim
Attached to Project:
Arch Linux
Opened by Markus Zucker (irminsul) - Saturday, 11 June 2022, 18:30 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 09 October 2022, 02:36 GMT
Opened by Markus Zucker (irminsul) - Saturday, 11 June 2022, 18:30 GMT
Last edited by Jan Alexander Steffens (heftig) - Sunday, 09 October 2022, 02:36 GMT
|
Details
The Linux kernel can accept kernel modules which are signed
by the Machine Owner Key (MOK) when using Secure Boot and
the `MokListTrustedRT` EFI variable is set [1].
By applying the attached changes to kernel build configuration, Arch users would be able to sign out-of-tree modules (e.g. the NVIDIA driver) with their MOK (say, with a Pacman hook) instead of having to build a custom kernel. Note that this also requires an updated version of the shim bootloader [2]. The AUR currently only contains shim v15.4, but I expect that to be updated soon to address CVE-2022-28737 anyway [3]. See: * [1]20220126025834.255493-1-eric.snowberg@oracle.com/"> https://patchwork.kernel.org/project/keyrings/cover/20220126025834.255493-1-eric.snowberg@oracle.com/ * [2] https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f * [3] https://access.redhat.com/security/cve/cve-2022-28737 
support_mok_keys.patch
(1 KiB)
|
This task depends upon
Closed by Jan Alexander Steffens (heftig)
Sunday, 09 October 2022, 02:36 GMT
Reason for closing: Duplicate
Additional comments about closing: FS#75102
Sunday, 09 October 2022, 02:36 GMT
Reason for closing: Duplicate
Additional comments about closing:
Needs CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT config.
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1981449