Jared K. Smith wrote:
Yes, as I understand it the kernel key is used for module signing.
The most obvious new use for module signing is Secure Boot, so
that the kernel will only load modules signed with its key.
JD wrote:
If what you say is true, then the kernel config option
CONFIG_MODVERSIONS which is used for:
"Usually, you have to use modules compiled with your kernel.
Saying Y here makes it sometimes possible to use modules
compiled for different kernels, by adding enough information
to the modules to (hopefully) spot any changes which would
make them incompatible with the kernel you are running. If
unsure, say N."
will have to be removed
Module signing is not going to be a mandatory part of building the Linux
kernel (not least because it slows down the process of building kernels,
which is something kernel developers do a lot.)
Even if the modules are signed, that doesn’t mean that the kernel will
necessarily check the signatures. For example,
https://lwn.net/Articles/470906/ says that “the option of building a
kernel that will only allow modules that have been cryptographically
signed to be loaded … has been running in Fedora and RHEL kernels for
years.”
I presume that this option will be forced on if you’re booting in Secure
Boot mode, otherwise you will be able to enable it with something like
enforcemodulesig=1 on the kernel command line.
Hope this helps,
James.
--
E-mail: james@ | A: Because people don’t normally read bottom to top.
aprilcottage.co.uk | Q: Why is top-posting such a bad thing?
| A: Top-posting.
| Q: What is the most annoying thing in e-mail and usenet?