On Fri, Oct 19, 2012 at 01:35:25AM +0100, Mr Dash Four wrote:
I seem to remember in one of the early 3.6-RC kernel versions there
were provisions put in the .spec file to sign all kernel code and its modules using the
above facility. I can't find this in the 3.6.1 or 3.6.2 versions of the kernel
currently in the Fedora srpm files. Has this been dropped?
No. It's only present in F18 and rawhide, but it's still there.
On a related issue - if, for some reason, I am unable to deploy UEFI
(disabled, so that Windows 8 won't prevent me from installing/using/booting up Linux)
can I still sign the kernel and its modules and enforce these checks at startup with the
bootloader (grub2)? Would that be possible? Thanks!
I'm guessing you meant "Secure Boot" and not "UEFI". If so, the
answer
is sort of. grub2 won't check the kernel, but it will still be signed
if it's a 64-bit F18 or newer release kernel. The modules will all be
signed regardless as that's done with a different key generated at
kernel build time. There's a kernel parameter you can enable to force
the kernel into a "secure boot" mode.
Without the secure firmware, I'm not entirely sure why you'd want to do
that though. It won't prevent bootloader based attacks. If you just
want signed modules, there's a different kernel parameter you can pass
to enforce signed modules.
josh