enforce kernel module software signature verification [module signing] / disallow kernel module loading by default

Patrick · April 29, 2021, 2:52pm

DKMS getting module signing support.

dell/dkms/blob/master/dkms_framework.conf#L30


      
          # copying the modules. This preserves some space on the costs of being less
          # safe. Symlinking will be active if set to a non-null value:
          # symlink_modules=""
          
          # Automatic installation and upgrade for all installed kernels if set to a
          # non-null value:
          # autoinstall_all_kernels=""
          
          # Location of the sign-file kernel binary. $kernelver can be used in path to
          # represent the target kernel version. (default: depends on distribution):
          # sign_file="/path/to/sign-file"
          
          # Location of the key and certificate files used for Secure boot. $kernelver
          # can be used in path to represent the target kernel version.
          #
          # NOTE: If any of the files specified by `mok_signing_key` and
          # `mok_certificate` are non-existant, dkms will re-create both files.
          #
          # mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
          # long as the sign_file program supports it.
          # (default: /var/lib/dkms):

https://github.com/dell/dkms/blob/master/sign_helper.sh

Dunno when this lands in Debian. Hopefully in Debian bullseye.

If so, since…

github.com/dell/dkms

add /etc/dkms/framework.conf.d configuration file drop-in folder

opened 12:55PM - 19 Jan 20 UTC

closed 07:32PM - 22 May 22 UTC

adrelanos

Could you please add support for parsing `/etc/dkms/framework.conf.d` configurat…ion file drop-in folder? Similar to `/etc/dkms/framework.conf`. Use cases: * useful for derivative linux distribution * to work around some kernel bug ([possibly this](https://bugzilla.kernel.org/show_bug.cgi?id=196729)) I would like to set `parallel_jobs=1` per VM to work around a [bug](https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26?u=patrick) * to be able to add module signing to modules in a generic way for modules which can't do that themselves yet

…isn’t implemented, package security-misc could config-package-dev displace

/etc/dkms/framework.conf