Bug#1055433: key enrollment on non-EFI systems for `module.sig_enforce=1` kernel parameter

To: submit@bugs.debian.org
Subject: Bug#1055433: key enrollment on non-EFI systems for `module.sig_enforce=1` kernel parameter
From: Patrick Schleizer <adrelanos@whonix.org>
Date: Mon, 6 Nov 2023 00:09:00 +0000
Message-id: <[🔎] 3ca6afa8-83f1-435d-9f7d-94ccd90d60bf@whonix.org>
Reply-to: adrelanos@whonix.org, 1055433@bugs.debian.org

Package: src:linux
Severity: normal

Kernel module signature verification can be enabled using the`module.sig_enforce=1` kernel parameter on non-EFI systems.

On non-EFI systems, `mokutil` won't work. But then how could one enrollthe key without needing to recompile grub or the kernel?

Can `/var/lib/dkms/mok.pub` be enrolled using `keyctl`? Probably not. Asper kernel manual. [1]

> Note, however, that the kernel will only permit keys to be added to.builtin_trusted_keys if the new key's X.509 wrapper is validly signedby a key that is already resident in the .builtin_trusted_keys at thetime the key was added.


Upstream DKMS thinks DKMS is the wrong place to do this.

Cheers,
Patrick

[1] https://www.kernel.org/doc/html/v6.6/admin-guide/module-signing.html

[2] https://github.com/dell/dkms/issues/359

Reply to:

Prev by Date: Bug#1053503: Enable support for Renesas RZ/V2L, RZ/G2UL, and RZ/V2M
Next by Date: Processed: found 1039883 in 6.1.55-1
Previous by thread: linux-signed-arm64_6.5.10+1_source.changes ACCEPTED into unstable
Next by thread: Processed: found 1039883 in 6.1.55-1
Index(es):
- Date
- Thread