Bug#939773: linux-image-5.2.0-2-amd64: MOK key not used for verification of modules signatures.
Package: src:linux
Version: 5.2.9-2
Severity: important
Dear Maintainer,
I've updated kernel from 4.19 to 5.2 and kernel stopped accepting modules
signed with MOK key.
I have secure boot enabled on my system and enrolled generated MOK key. I use
some out-of-tree modules that use DKMS. In the previous version of the kernel
I was signing those modules with the MOK key and they loaded just fine as MOK
key was loaded into the trusted keyring in the kernel.
After the kernel update, MOK key gets inserted into the .platform keyring
(I see CONFIG_INTEGRITY_PLATFORM_KEYRING is set to true in the kernel config)
which apparently isn't used for validation of module signatures so I'm unable
to load MOK signed modules.
I would expect this to still work as the only option I have right now for
using DKMS modules is building and using my own kernel image... This is also
the method described in https://wiki.debian.org/SecureBoot.
I've found this related bug in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1701096. There are some links to
upstream patches but I've just checked linux master and
kernel/module_signing.c is still using only secondary_trusted_keyring and
builtin_trusted_keyring to verify modules signatures.
Thank you,
Marek Rusinowski
Reply to: