Raring and signed modules
Tim Gardner
tim.gardner at canonical.com
Mon Nov 5 19:07:36 UTC 2012
I've pushed the 3.7-rc4 rebase to raring master-next:
git://kernel.ubuntu.com/ubuntu/ubuntu-raring.git
Contained in this update is CONFIG_MODULE_SIG=y. This option signs
modules using a private key generated during the build. At the end of
the build this private key is discarded and the public key used to
decrypt module signatures is built into a keyring embedded within the
kernel vmlinuz. By default signed modules are not enforced. However, you
can enforce signed modules by applying 'module.sig_enforce=yes' to the
grub command line (GRUB_CMDLINE_LINUX_DEFAULT) in /etc/defaults/grub.
Since it is sometimes difficult to understand why a module hasn't loaded
I've added a kernel log message that will tell you if module signing is
the culprit. Look for the message 'module: error loading incorrectly
signed module.' DKMS packages, such as the nVidia driver and fglrx, can
only be loaded if module signing is _not_ enforced. In that event, there
is no warning in the kernel log that you've just loaded an unsigned module.
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list