[PATCH v2 1/2][Cosmic] UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary keyring for module signing

Seth Forshee seth.forshee at canonical.com
Mon Oct 29 14:50:02 UTC 2018

BugLink: https://bugs.launchpad.net/bugs/1798863

For signing dkms modules we use a machine owner key whose public
half is enrolled into shim. This gets imported into the kernel's
secondary keyring, thus keys in this keyring need to be trusted
for module signing.

Unfortunately the revision of the "secure boot lockdown" patches
imported into cosmic had a bug whereby keys in the secondary
keyring are not trusted for module signing. Another bug resulted
in the modules still being loaded under lockdown, so before
fixing that bug we need to fix the bug with trusting the MOK for
module signing so that dkms modules sigend with the MOK will
continue to load.

Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
 kernel/module_signing.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 937c844bee4a..cafe730381fa 100644
--- a/kernel/module_signing.c
+++ b/kernel/module_signing.c
@@ -81,6 +81,7 @@ int mod_verify_sig(const void *mod, unsigned long *_modlen)
 	return verify_pkcs7_signature(mod, modlen, mod + modlen, sig_len,
 				      NULL, NULL);

More information about the kernel-team mailing list