Bug#935945: linux-image-5.2.0-2-amd64: does not load signed kernel modules when UEFI Secure Boot is enabled

To: 935945@bugs.debian.org
Subject: Bug#935945: linux-image-5.2.0-2-amd64: does not load signed kernel modules when UEFI Secure Boot is enabled
From: Marek Rusinowski <marekrusinowski@gmail.com>
Date: Sat, 14 Sep 2019 17:51:12 +0200
Message-id: <[🔎] CAC5wRbRxpuZZyXb4hmzwDDMDx4yBzuZaxshmwsHOPSLN5_be3A@mail.gmail.com>
Reply-to: Marek Rusinowski <marekrusinowski@gmail.com>, 935945@bugs.debian.org
References: <6TG.5mPkQ.2gtY}zzO{Lg.1TPajw@seznam.cz>

I have this problem too and opened a duplicate #939773 earlier with some
investigation. Rephrasing my investigation from that duplicate:

In this kernel MOK key gets inserted into the .platform keyring (I see
CONFIG_INTEGRITY_PLATFORM_KEYRING is set to true in the kernel config) which
isn't used for validation of module signatures. I've found this related bug in
Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1701096. There are some
links to upstream patches but I've just checked linux master and
kernel/module_signing.c is still using only .secondary_trusted_keyring and
.builtin_trusted_keyring to verify modules signatures while MOK key is added
to .platform keyring.

Reply to:

Prev by Date: Bug#939773: Duplicate
Next by Date: Bug#939986: marked as done (linux-image-5.2.0-2-amd64: hostapd always crashes nl80211_get_reg_do in nl80211 module)
Previous by thread: Bug#935945: linux-image-5.2.0-2-amd64: does not load signed kernel modules when UEFI Secure Boot is enabled
Next by thread: Processed: Re: Bug#940181: Duplicate
Index(es):
- Date
- Thread