[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updated Secure Boot docs in the wiki

On Sun, 2019-03-31 at 12:05 +0100, Luca Boccassi wrote:
> On Sun, 2019-03-31 at 07:18 +0100, Steve McIntyre wrote:
> > Hey folks,
> > 
> > I've extended and updated Lucas' initial SB page:
> > 
> >   
> > https://wiki.debian.org/SecureBoot
> > 
> > 
> > to cover a lot more user-facing stuff. Please review...
> Hi,
> That looks great, thanks!
> Just one minor note:
> "This will block out-of-tree modules and DKMS-managed drivers like
> binary !NVidia graphics drivers. Again, you will need to disable SB
> or
> use and enrol your own key to make things work."
> AFAIK enrolling own key for kernel modules does not work in Debian as
> of now, as the kernel does not import keys from DB/MOK into the
> keyring
> at boot, so only keys embedded at the kernel's build time are used to
> validate modules.
> There's a patch to enabled that feature shipped in Ubuntu/RHEL, and
> IIRC something was proposed upstream but as of now nothing is merged:
> https://lkml.org/lkml/2016/11/16/527
> https://lkml.org/lkml/2018/2/28/1089
> (I think Ubuntu/RHEL carry patches from the former set to enable this
> feature)

I have successfully tested porting the patches from the former set, and
opened a MR for review on Salsa:


With this, the key added to MOK can be used to verify kernel modules,
so I am able to use bbswitch/nvidia on my optimus laptop with secure
boot enabled.

I tried the latter patchset, which got merged upstream as this series:
But it requires IMA, which we disable as it doesn't quite work with the
lockdown set, and it's only for kexec at the moment, not for modules.

Kind regards,
Luca Boccassi

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: