feature request: Debian package - kernel module signing for kernel_lockdown #113
Comments
|
It depends on your setup. For instance, I deleted the preinstalled EFI keys form my laptop's firmware and installed there my own keys instead, so only the code I sign can run on my machine. I sign every kernel I build using my private key. I don't sign modules, because I have all the needed things built into the kernel. But if I wanted to build some external module via dkms I could sign it automatically using DKMS. Some time ago I wrote an article on this subject. it's in Polish, but all the necessary commands are in place and you will figure out how to make that setup work. |
|
@solardiz @adrelanos I'm not sure there is anything which we as LKRG can do, can we? |
|
I guess this would have to be done in DKMS or by the distribution to apply for all kernel modules. |
DKMS supports it:
But how to use it? Is this something to be implemented per kernel module? Or is this a sysadmin task?
//cc @morfikov
Would you know how to implement this?
The text was updated successfully, but these errors were encountered: