Secure boot and packaging third-party kernel modules
Josh Boyer
jwboyer at fedoraproject.org
Fri May 29 16:11:57 UTC 2015
On Fri, May 29, 2015 at 11:57 AM, Sérgio Basto <sergio at serjux.com> wrote:
> On Sex, 2015-05-29 at 09:28 -0400, Josh Boyer wrote:
>> On Fri, May 29, 2015 at 9:19 AM, Sérgio Basto <sergio at serjux.com> wrote:
>> > On Sex, 2015-05-29 at 08:54 -0400, Josh Boyer wrote:
>> >> On Fri, May 29, 2015 at 8:40 AM, David Sommerseth <davids at redhat.com> wrote:
>> >> > On 28/05/15 17:45, Josh Boyer wrote:
>> >> >> On Thu, May 28, 2015 at 11:26 AM, David Sommerseth <davids at redhat.com> wrote:
>> >> >>>
>> >> >>> Hi,
>> >> >>>
>> >> >>> I've started poking into packaging the mhvtl project for Fedora and
>> >> >>> EPEL. This package also contains a kernel module, which normally works
>> >> >>> fine - until you hit Secure Boot.
>> >> >>>
>> >> >>> So I was wondering how to handle this the best way. AFAIK, there are
>> >> >>> currently no plans to get the mhvtl.ko kernel module into the upstream
>> >> >>> kernel.
>> >> >>
>> >> >> Where can I read more information on this project, and why that might be?
>> >> >
>> >> > Duh! I'm so into this I forget to add better project info ...
>> >> >
>> >> > <https://sites.google.com/site/linuxvtl2/>
>> >>
>> >> Sorry, I should have been more explicit in my question. I found the
>> >> site by googling of course, but I was curious if you had pointers to
>> >> reasoning/discussion around why the kernel module won't be pushed
>> >> upstream.
>> >>
>> >> >> It is worth noting that Fedora does not allow packages other than the
>> >> >> kernel to ship kernel modules.
>> >> >
>> >> > Oh, I was not aware of that. But compiling a kernel module "on-the-fly"
>> >> > is acceptable for Fedora?
>> >>
>> >> Kinda. Packages that do that exist. We know they exist. We assume
>> >> the people maintaining them are going to be polite and deal with
>> >> issues.
>> >
>> > This is a good subject for RPMFusion and all his kmods ... , but I
>> > really don't have time to think about it .
>> >
>> > In Ask we got examples of kmods signed for VirtualBox under Sercure
>> > Boot :
>> >
>> > https://ask.fedoraproject.org/en/question/68285/best-way-to-install-virtualbox/?answer=68413#post-id-68413
>> >
>> > https://ask.fedoraproject.org/en/question/34470/virtual-box-on-fedora-19-fails-to-start-a-vm/?answer=59222#post-id-59222
>> >
>> > Seems possible ship kernel modules on the fly since fedora package
>> > kernel also does it (it seems), I read that somewhere.
>>
>> Er... no we don't. The kernel package provides all it's modules
>> already built. It doesn't build any on the fly after it is installed.
>> I'm not sure where you read that.
>
> Sorry, I meant, the kernel package sign on the fly (the kernel
> modules) ? , that what we need, we need build a package and sign kernel
> modules on that build .
Ah, yes. The kernel modules are signed using an auto-generated cert
during the kernel build. However, that doesn't help third party
modules at all. The auto-generated cert is discarded when the kernel
package build completes and isn't available for use outside of the
koji buildroot for that specific kernel build.
So at the time the kernel package is installed, the modules are
already signed but the cert that was used is long since deleted. If
one were to install kernel-devel and rebuild a module, it would
auto-generate a new cert and use that to sign, but the installed
kernel doesn't trust that cert. That is why David's plan, while
complicated, is necessary.
josh
More information about the devel
mailing list