Re: [RFC PATCH 2/2] docs: Update kernel-parameters.txt for signature verification enhancement
Hello Prarit, Il giorno mer 8 nov 2023 alle ore 16:33 Prarit Bhargava ha scritto: > > On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote: > > Update kernel-parameters.txt to reflect new deferred signature > > verification. > > Enhances boot speed by allowing unsigned modules in initrd after > > bootloader check. > > > > Signed-off-by: Alessandro Carminati (Red Hat) > > > > --- > > Documentation/admin-guide/kernel-parameters.txt | 9 + > > 1 file changed, 9 insertions(+) > > > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > > b/Documentation/admin-guide/kernel-parameters.txt > > index 0c38a8af95ce..beec86f0dd05 100644 > > --- a/Documentation/admin-guide/kernel-parameters.txt > > +++ b/Documentation/admin-guide/kernel-parameters.txt > > @@ -3410,6 +3410,15 @@ > > Note that if CONFIG_MODULE_SIG_FORCE is set, that > > is always true, so this option does nothing. > > > > + module_sig_check_wait= > > + This parameter enables delayed activation of module > > + signature checks, deferring the process until > > userspace > > + triggers it. Once activated, this setting becomes > > + permanent and cannot be reversed. This feature proves > > + valuable for incorporating unsigned modules within > > + initrd, especially after bootloader verification. > > + By employing this option, boot times can be quicker. > > + > > Please keep these in alphabetical order. > > Would making the kernel-parameters.txt warning a little bit more > informative be a good thing? This should only be used in environments > where some other signature verification method is employed. > > Also, for future reference, it would be good to have hard numbers to > show the boot time improvement in the changelog. I'll do the necessary adjustments in the v2, thank you for your feedback. > > P. > > > module_blacklist= [KNL] Do not load a comma-separated list of > > modules. Useful for debugging problem modules. > > >
Re: [RFC PATCH 2/2] docs: Update kernel-parameters.txt for signature verification enhancement
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote: Update kernel-parameters.txt to reflect new deferred signature verification. Enhances boot speed by allowing unsigned modules in initrd after bootloader check. Signed-off-by: Alessandro Carminati (Red Hat) --- Documentation/admin-guide/kernel-parameters.txt | 9 + 1 file changed, 9 insertions(+) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt index 0c38a8af95ce..beec86f0dd05 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -3410,6 +3410,15 @@ Note that if CONFIG_MODULE_SIG_FORCE is set, that is always true, so this option does nothing. + module_sig_check_wait= + This parameter enables delayed activation of module + signature checks, deferring the process until userspace + triggers it. Once activated, this setting becomes + permanent and cannot be reversed. This feature proves + valuable for incorporating unsigned modules within + initrd, especially after bootloader verification. + By employing this option, boot times can be quicker. + Please keep these in alphabetical order. Would making the kernel-parameters.txt warning a little bit more informative be a good thing? This should only be used in environments where some other signature verification method is employed. Also, for future reference, it would be good to have hard numbers to show the boot time improvement in the changelog. P. module_blacklist= [KNL] Do not load a comma-separated list of modules. Useful for debugging problem modules.
Re: [RFC PATCH 2/2] docs: Update kernel-parameters.txt for signature verification enhancement
On 9/14/23 04:27, Alessandro Carminati (Red Hat) wrote: > Update kernel-parameters.txt to reflect new deferred signature > verification. > Enhances boot speed by allowing unsigned modules in initrd after > bootloader check. > > Signed-off-by: Alessandro Carminati (Red Hat) > --- > Documentation/admin-guide/kernel-parameters.txt | 9 + > 1 file changed, 9 insertions(+) > > diff --git a/Documentation/admin-guide/kernel-parameters.txt > b/Documentation/admin-guide/kernel-parameters.txt > index 0c38a8af95ce..beec86f0dd05 100644 > --- a/Documentation/admin-guide/kernel-parameters.txt > +++ b/Documentation/admin-guide/kernel-parameters.txt > @@ -3410,6 +3410,15 @@ > Note that if CONFIG_MODULE_SIG_FORCE is set, that > is always true, so this option does nothing. > > + module_sig_check_wait= > + This parameter enables delayed activation of module > + signature checks, deferring the process until userspace > + triggers it. Once activated, this setting becomes > + permanent and cannot be reversed. This feature proves > + valuable for incorporating unsigned modules within > + initrd, especially after bootloader verification. > + By employing this option, boot times can be quicker. > + Please keep the entries here in alphabetical order. This new entry should be after module_blacklist, not before it. Thanks. > module_blacklist= [KNL] Do not load a comma-separated list of > modules. Useful for debugging problem modules. > -- ~Randy
