APPLIED [OEM-5.17] Re: [PATCH v2 0/1][SRU][OEM-5.17/U] enable Mok key support
Timo Aaltonen
tjaalton at ubuntu.com
Fri May 13 18:05:32 UTC 2022
You-Sheng Yang kirjoitti 10.5.2022 klo 19.28:
> From: "You-Sheng Yang (vicamo)" <vicamo.yang at canonical.com>
>
> BugLink: https://bugs.launchpad.net/bugs/1972802
>
> [Impact]
> Mok keys is not trusted after kernel 5.17
>
> [Fix]
> Enable the CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT and CONFIG_IMA_ARCH_POLICY for
> fixing the patch "[patch] integrity: Do not load MOK and MOKx when secure boot
> be disabled" was added to check if secureboot enabled for trusting the MOK key.
>
> [Test]
> Enroll Mok key and use it to sign kernel modules, make sure secure boot is on
> and load the kernel module by either modprobe or insmod.
>
> [Where problems could occur]
> Low. only affect the checking secureboot enable function.
>
> Ivan Hu (1):
> UBUNTU: [Config] enable configs for fixing kernel won't load mok
>
> debian.oem/config/annotations | 4 ++--
> debian.oem/config/config.common.ubuntu | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
applied to oem-5.17, thanks
--
t
More information about the kernel-team
mailing list