Jared K. Smith wrote: > Yes, as I understand it the kernel key is used for module signing. > The most obvious new use for module signing is Secure Boot, so > that the kernel will only load modules signed with its key.
JD wrote: > If what you say is true, then the kernel config option > CONFIG_MODVERSIONS which is used for: > "Usually, you have to use modules compiled with your kernel. > Saying Y here makes it sometimes possible to use modules > compiled for different kernels, by adding enough information > to the modules to (hopefully) spot any changes which would > make them incompatible with the kernel you are running. If > unsure, say N." > > will have to be removed Module signing is not going to be a mandatory part of building the Linux kernel (not least because it slows down the process of building kernels, which is something kernel developers do a lot.) Even if the modules are signed, that doesn’t mean that the kernel will necessarily check the signatures. For example, https://lwn.net/Articles/470906/ says that “the option of building a kernel that will only allow modules that have been cryptographically signed to be loaded … has been running in Fedora and RHEL kernels for years.” I presume that this option will be forced on if you’re booting in Secure Boot mode, otherwise you will be able to enable it with something like enforcemodulesig=1 on the kernel command line. Hope this helps, James. -- E-mail: james@ | A: Because people don’t normally read bottom to top. aprilcottage.co.uk | Q: Why is top-posting such a bad thing? | A: Top-posting. | Q: What is the most annoying thing in e-mail and usenet? -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
