kernel private key
James Wilkinson
fedora at aprilcottage.co.uk
Tue Nov 27 21:57:36 UTC 2012
Jared K. Smith wrote:
> Yes, as I understand it the kernel key is used for module signing.
> The most obvious new use for module signing is Secure Boot, so
> that the kernel will only load modules signed with its key.
JD wrote:
> If what you say is true, then the kernel config option
> CONFIG_MODVERSIONS which is used for:
> "Usually, you have to use modules compiled with your kernel.
> Saying Y here makes it sometimes possible to use modules
> compiled for different kernels, by adding enough information
> to the modules to (hopefully) spot any changes which would
> make them incompatible with the kernel you are running. If
> unsure, say N."
>
> will have to be removed
Module signing is not going to be a mandatory part of building the Linux
kernel (not least because it slows down the process of building kernels,
which is something kernel developers do a lot.)
Even if the modules are signed, that doesn’t mean that the kernel will
necessarily check the signatures. For example,
https://lwn.net/Articles/470906/ says that “the option of building a
kernel that will only allow modules that have been cryptographically
signed to be loaded … has been running in Fedora and RHEL kernels for
years.”
I presume that this option will be forced on if you’re booting in Secure
Boot mode, otherwise you will be able to enable it with something like
enforcemodulesig=1 on the kernel command line.
Hope this helps,
James.
--
E-mail: james@ | A: Because people don’t normally read bottom to top.
aprilcottage.co.uk | Q: Why is top-posting such a bad thing?
| A: Top-posting.
| Q: What is the most annoying thing in e-mail and usenet?
More information about the users
mailing list