pesign
Josh Boyer
jwboyer at redhat.com
Fri Oct 19 00:42:19 UTC 2012
On Fri, Oct 19, 2012 at 01:35:25AM +0100, Mr Dash Four wrote:
> I seem to remember in one of the early 3.6-RC kernel versions there were provisions put in the .spec file to sign all kernel code and its modules using the above facility. I can't find this in the 3.6.1 or 3.6.2 versions of the kernel currently in the Fedora srpm files. Has this been dropped?
No. It's only present in F18 and rawhide, but it's still there.
> On a related issue - if, for some reason, I am unable to deploy UEFI (disabled, so that Windows 8 won't prevent me from installing/using/booting up Linux) can I still sign the kernel and its modules and enforce these checks at startup with the bootloader (grub2)? Would that be possible? Thanks!
I'm guessing you meant "Secure Boot" and not "UEFI". If so, the answer
is sort of. grub2 won't check the kernel, but it will still be signed
if it's a 64-bit F18 or newer release kernel. The modules will all be
signed regardless as that's done with a different key generated at
kernel build time. There's a kernel parameter you can enable to force
the kernel into a "secure boot" mode.
Without the secure firmware, I'm not entirely sure why you'd want to do
that though. It won't prevent bootloader based attacks. If you just
want signed modules, there's a different kernel parameter you can pass
to enforce signed modules.
josh
More information about the kernel
mailing list