On Sat, 2016-04-30 at 23:52 +0200, Santiago Vila wrote: > On Sat, Apr 30, 2016 at 11:41:09PM +0200, Ben Hutchings wrote: > > > > > > > > > > > > > Yes, you must do that. Your custom kernel configuration should be > > > > based on the appropriate file provided in linux-source-4.5. These have > > > > the CONFIG_MODULE_SIG_ALL, CONFIG_MODULE_SIG_KEY and > > > > CONFIG_SYSTEM_TRUSTED_KEYS settings removed so that custom kernels will > > > > get modules signed by a one-time key. > > > If I have to remove CONFIG_SYSTEM_TRUSTED_KEYS by hand, then > > > documentation is wrong. > > [...] > > > > Oh, I see the problem. I didn't realise that the local{mod,yes}config > > rules would (a) copy the config file from /boot or (b) keep the keyring > > config symbols unchanged. > Thanks a lot! > > > I have a related question: I know that you spent some time making > linux-image build reproducible. If by way of this module signing thing > the linux-image distributed by Debian is based on your key, does this > not make the build unreproducible again? The official packages are still reproducible. See <https://www.decadent.org.uk/ben/talks/secure-boot-linux-package.pdf> Ben. -- Ben Hutchings 73.46% of all statistics are made up.
Attachment:
signature.asc
Description: This is a digitally signed message part