The approach I have been pursuing in Debian for packaging signed kernel modules is to instal the module signatures as separate files and to update module tools (kmod, initramfs-tools, etc.) to work with these. This is blocked on upstream acceptance in kmod, and it's not clear whether that's ever going to happen. In the interim, while I've used my own build of kmod, I've noticed some problems with it: - Since Debian still hasn't implemented reproducible builds - in particular, auto-builders don't use stable build directories - an exact-versioned package dependency still isn't strong enough to ensure that the installed module signatures match the installed modules. This isn't a practical problem for most people, but I often install a kernel binary package that I built locally and did not upload. - While the versioned dependencies ensures that apt will try to upgrade linux-image-(version) and linux-imge-(version)-signed together, the upgrade still might be aborted half-way through (e.g. due to lack of disk space), also resulting in invalid signatures. So I think I have to abandon my current approach and instead do one of: 1. Attach module signatures at installation time, in a subdirectory. Change kmod to prefer this subdirectory (this is purely a configuration change). It would also be possible to check during installation that signatures match the installed unsigned modules, and if not then abort and leave any older signed modules in place. 2. Attach module signatures at package build time, making the linux-image-signed packages provide/conflict/replace the corresponding linux-image packages. For architectures with signed modules, udebs would be built from linux-signed and not from linux. I intend to withdraw my proposed changes to kmod and dracut and to revert the change I already made in initramfs-tools. I don't think either of these approaches requires any changes in initramfs-tools or dracut. They will require some changes in kernel udeb building, possibly in kernel-wedge or possibly only in linux and linux-signed.. Ben. -- Ben Hutchings Editing code like this is akin to sticking plasters on the bleeding stump of a severed limb. - me, 29 June 1999
Attachment:
signature.asc
Description: This is a digitally signed message part