Lo!
On 10.12.2015 20:59, Josh Boyer wrote(¹):
> […]
> Thinking about it some, there isn't really a reason CONFIG_MODULE_SIG
> couldn't be enabled on other architectures. Signed modules are
> independent of UEFI secure boot support. If we did that, we might
> want to come up with something that maps arches which have it enabled
> to a single RPM macro.
>
> Anyway, that's likely future work.
Find attached two patches to go down that route.
The first creates a new macro in the spec file to make "signing modules"
and "signing kernels for UEFI secure boot" independent from each other.
This is pretty straightforward and could be applied as is, as afterwards
it if more obvious what happens. I fired a scratch build to verify
mod-sign and pesign are still called just like before on %{ix86} x86_64.
Results can be found via
http://koji.fedoraproject.org/koji/taskinfo?taskID=12376294 The arm
build log shows that mod-sign and pesign are still not called.
The second patch enables module signing for all archs. Scratch builds
for primary archs:
http://koji.fedoraproject.org/koji/taskinfo?taskID=12376883
Scratch build for ppc:
http://ppc.koji.fedoraproject.org/koji/taskinfo?taskID=3033583
I for now didn't run any of those kernels to verify if things still work
as I'm unsure what we want to do (hence the RFC in the Subject): On
which archs do we want to enable module signing? Are there any reasons
to not enable it on some archs? Is the overhead considered to big for
armv7? Does it work everywhere?
My current stance to those questions: If there are no good reasons to
not use module signing on some archs simply enable it everywhere.
Cu
thl
(¹) that was in
https://lists.fedoraproject.org/archives/list/kernel%40lists.fedoraproject.org/message/W5OAS6RF3AMX6ZDTB2KSWA4DWCCDB5IF/
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
