On Sun, 2019-03-31 at 12:05 +0100, Luca Boccassi wrote: > On Sun, 2019-03-31 at 07:18 +0100, Steve McIntyre wrote: > > Hey folks, > > > > I've extended and updated Lucas' initial SB page: > > > > > > https://wiki.debian.org/SecureBoot > > > > > > to cover a lot more user-facing stuff. Please review... > > Hi, > > That looks great, thanks! > > Just one minor note: > > "This will block out-of-tree modules and DKMS-managed drivers like > binary !NVidia graphics drivers. Again, you will need to disable SB > or > use and enrol your own key to make things work." > > AFAIK enrolling own key for kernel modules does not work in Debian as > of now, as the kernel does not import keys from DB/MOK into the > keyring > at boot, so only keys embedded at the kernel's build time are used to > validate modules. > > There's a patch to enabled that feature shipped in Ubuntu/RHEL, and > IIRC something was proposed upstream but as of now nothing is merged: > > https://lkml.org/lkml/2016/11/16/527 > > https://lkml.org/lkml/2018/2/28/1089 > > > (I think Ubuntu/RHEL carry patches from the former set to enable this > feature) I have successfully tested porting the patches from the former set, and opened a MR for review on Salsa: https://salsa.debian.org/kernel-team/linux/merge_requests/139 With this, the key added to MOK can be used to verify kernel modules, so I am able to use bbswitch/nvidia on my optimus laptop with secure boot enabled. I tried the latter patchset, which got merged upstream as this series: https://lkml.org/lkml/2018/12/8/218 But it requires IMA, which we disable as it doesn't quite work with the lockdown set, and it's only for kexec at the moment, not for modules. -- Kind regards, Luca Boccassi
Attachment:
signature.asc
Description: This is a digitally signed message part