Comments (2)
andreyv
commented on September 27, 2024
1
Hi,
From the documentation it follows that modules should be signed at install time, and that the public key should be embedded in the kernel during the build time. So, this can only work if you are building the kernel yourself and have enabled the necessary configuration options. In such case, configuration and signing should be done in the PKGBUILD.
For the core linux and linux-lts Arch Linux kernels the kernel maintainers would need to configure and enable module signing using an Arch Linux key. Note that the Secure Boot keys and the module signing key need not be the same, so this would work. If you are interested in this, you could open a feature request at https://bugs.archlinux.org/.
from sbupdate.
fpqc
commented on September 27, 2024
@andreyv Yeah, it would also unfortunately break dkms if they did enable it. I could probably hack together a pkgbuild that would build a kernel that pulls your public key from an sbupdate cert and then signs with the key, but the hard part would be figuring out how to hook dkms to to sign on kernel upgrades.
The problem with dkms for official Kernel package support is that if you could sign your own dkms modules, you would have to have Arch's private keys to sign them, so it's incompatible.
I was wondering, I guess, if it were possible to use sbupdate to apply a binary patch rather than a source patch to patch in the pubkey, but that would probably be pretty difficult.
from sbupdate.
Related Issues (20)
- Question: is btrfs supported with direct booting? HOT 4
- EXTRA_SIGN in combination w/ e.g. sd-boot can lead to an attacker being able to sign a malicious file HOT 4
- Testing HOT 2
- Wrong kernel output after system update HOT 18
- Missing AUR keys HOT 4
- Output filename for kernel? HOT 3
- signed unified kernel image file name HOT 1
- Multiple cmdlines per kernel HOT 1
- Updating DKMS modules in initramfs doesn't trigger update HOT 4
- use mkinitcpio to build uefi executables HOT 9
- SBAT support for new shim HOT 4
- sbudpate fails when using grub sigchecks HOT 1
- [Feature Request] Please add option to add an extra initrd to efi image HOT 2
- [Feature Request] Please add an option to sign already created image HOT 1
- Use calculated, flexible section-vma offsets instead of hardcoded ones HOT 17
- RFE: add `CMDLINE_ALWAYS` or alike for kernel options that are always added HOT 2
- issue with systemd 252.1 HOT 3
- Allow custom `output_name`
- Allow `.cmdline` to be omitted
- objcopy: section below image base HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbupdate.