Comments (6)
critkitten
commented on September 17, 2024
As far as I understand sbctl does not support signing of kernel modules.
If you want to know more checkout #85
To disable signature check of kernel module you can set the following kernel cmdline:
module.sig_enforce=0
But Secureboot usually means that lockdown=confidentiality is on which in turn means module signature also.
Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not.
The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.
Perhaps someone can clarify this in a short sentence.
from sbctl.
jyash8
commented on September 17, 2024
As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work
from sbctl.
IPlayZed
commented on September 17, 2024
Under archlinux I have not been able to run secureboot with an Nvidia card. Under Debian it works because only mok is used there and the kernel are official signed archlinux not.
This is interesting, I had no such problem. I think the kernel is not built with lockdown enabled, so unless you specify lockdown=confidentiality and add lockdown to lsm=..., there is no reason why it should force itself. When I had an Nvidia card, I could do it easily.
lockdown forces module.sig_enforce=1 AFAIK.
The difference between mok and sbctl you can read in the above linked article. I did not understand it until today. But you can´t use both.
Why not? Sign the shim, boot the shim, which launches the MOK process of validating stuff.
This page explaining it simply.
from sbctl.
IPlayZed
commented on September 17, 2024
As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work
That is not really the case, again the question if it signed by the same key as the one used to sign the kernel. If you build your own kernel, sign the kernel module with that, it will not be rejected.
from sbctl.
IPlayZed
commented on September 17, 2024
@jyash8 Do you mind closing the issue, if my answers were sufficient?
from sbctl.
IPlayZed
commented on September 17, 2024
As far as I know nvidia kernel module has been open sourced so if the kernel module could be embedded in kernel and then made unified kernel image and signed would it then work
That is not really the case, again the question if it signed by the same key as the one used to sign the kernel. If you build your own kernel, sign the kernel module with that, it will not be rejected.
It looks like Nvidia will add upstream support for the official kernel modules, so in the future you will be able to use it without any hassle, if you have the right hardware.
from sbctl.
Related Issues (20)
- Disable landlock required for migration HOT 14
- `sbctl setup --migrate` results in empty file database HOT 2
- /var/lib/sbctl already exists HOT 1
- sbctl requires root to run: open /usr/share: permission denied HOT 10
- Configuration migration: /var/lib/sbctl already exists! HOT 11
- sbctl --migrate still saying "old configuration detected" HOT 3
- sbctl requires root to run: mkdir /var/lib/sbctl: permission denied HOT 2
- Landlock sandbox prevents signing binaries HOT 4
- Failing test from vendored go HOT 1
- Issue with sbctl sign-all -g bundle generation HOT 4
- /boot fails to mount after migrate HOT 11
- signing and listing bundles fails with "permission denied" although files exist and executed with sudo HOT 2
- Cosmetic problem: sbctl is telling me to migrate the config whilst I'm migrating the config. HOT 1
- `rotate-keys` seems to enroll keys without vendor certificates/TPM Eventlog checksums HOT 8
- `sign-all` no longer updates already signed output files if input files change HOT 12
- sbctl messed up after running "sbctl setup --migrate" HOT 2
- Image signature/verification fails if PK or KEK are missing
- Support drop-in configs HOT 1
- Already signed file doesn't appear in database, can't add it either HOT 4
- enroll-keys --microsoft seems to enroll more microsoft keys than necessary for Option ROM HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sbctl.