On Fri, Oct 19, 2012 at 01:35:25AM +0100, Mr Dash Four wrote: > I seem to remember in one of the early 3.6-RC kernel versions there were provisions put in the .spec file to sign all kernel code and its modules using the above facility. I can't find this in the 3.6.1 or 3.6.2 versions of the kernel currently in the Fedora srpm files. Has this been dropped? No. It's only present in F18 and rawhide, but it's still there. > On a related issue - if, for some reason, I am unable to deploy UEFI (disabled, so that Windows 8 won't prevent me from installing/using/booting up Linux) can I still sign the kernel and its modules and enforce these checks at startup with the bootloader (grub2)? Would that be possible? Thanks! I'm guessing you meant "Secure Boot" and not "UEFI". If so, the answer is sort of. grub2 won't check the kernel, but it will still be signed if it's a 64-bit F18 or newer release kernel. The modules will all be signed regardless as that's done with a different key generated at kernel build time. There's a kernel parameter you can enable to force the kernel into a "secure boot" mode. Without the secure firmware, I'm not entirely sure why you'd want to do that though. It won't prevent bootloader based attacks. If you just want signed modules, there's a different kernel parameter you can pass to enforce signed modules. josh _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
