fix: enable IMA so MOK-signed modules load under Secure Boot#863
Open
mbocevski wants to merge 1 commit into
Open
fix: enable IMA so MOK-signed modules load under Secure Boot#863mbocevski wants to merge 1 commit into
mbocevski wants to merge 1 commit into
Conversation
4 tasks
mbocevski
force-pushed
the
enable-ima-secure-boot
branch
from
b1859a6 to
d59fd1a
Compare
linux-cachyos builds with IMA disabled, so arch_ima_get_secureboot() is a stub that returns false and load_uefi_certs() returns before load_moklist_certs(). MOK keys are never loaded into the .machine keyring, so MOK-signed modules (DKMS: openrazer, nvidia-dkms, etc.) cannot load under Secure Boot. Enable IMA in the config of all kernel variants, matching the Fedora packaging fix in copr-linux-cachyos (a0407947). The arch IMA policy is only loaded when Secure Boot is enabled (arch_get_ima_policy() gates on arch_ima_get_secureboot()), so non-Secure -Boot systems are unaffected. Under Secure Boot it adds measure rules and calls set_module_sig_enforced()/set_kexec_sig_enforced(): it requires signed modules/kexec images. On a Secure Boot setup already running lockdown=integrity this is a no-op (lockdown enforces the same); on Secure Boot without lockdown it newly enforces signed modules. Closes CachyOS#862
mbocevski
force-pushed
the
enable-ima-secure-boot
branch
from
d59fd1a to
357c724
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Enables IMA across all kernel variants so MOK keys get loaded into the
.machinekeyring. Without it,arch_ima_get_secureboot()is a stub that returns false,load_uefi_certs()returns beforeload_moklist_certs(), and MOK-signed DKMS modules (e.g. openrazer) can't load under Secure Boot.Same change already done for the Fedora packaging in copr-linux-cachyos (
a0407947).Scope of the behavior change: the arch IMA policy is only loaded when Secure Boot is enabled (
arch_get_ima_policy()gates onarch_ima_get_secureboot()), so non-Secure-Boot systems are unaffected. Under Secure Boot it addsmeasurerules and callsset_module_sig_enforced()/set_kexec_sig_enforced()— i.e. it requires signed modules/kexec images. On a Secure Boot setup already runninglockdown=integritythat is a no-op (lockdown enforces the same thing); on Secure Boot without lockdown it newly enforces signed modules. This kernel does not auto-enter lockdown under Secure Boot (LOCK_DOWN_KERNEL_FORCE_NONE), so that case is worth a heads-up.Done as a
configchange in every variant (the resolved IMA block), matching how config options are flipped here (e.g. #836).b2sums/.SRCINFOstill need regenerating withsrcinfo.sh.Tested on 7.0.10-2:
.machineis populated and the previously-blocked modules load. Full writeup and logs in #862.Docs: a companion wiki section (DKMS/MOK module signing under Secure Boot) is drafted in CachyOS/wiki#482, blocked on this PR.