Consider Merging: sign kernel modules on all archs in Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Justin! Please consider merging the two patches I'll send as reply to
this mail. They are basically a rebase of the patches I send two months ago:
http://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/IBGSWC2OGGU5QLEJEQVH4W2ZY6UNHWOF/

To quote myself:

> On 10.12.2015 20:59, Josh Boyer wrote(¹):
>> > […]
>> > Thinking about it some, there isn't really a reason CONFIG_MODULE_SIG
>> > couldn't be enabled on other architectures.  Signed modules are
>> > independent of UEFI secure boot support.  If we did that, we might
>> > want to come up with something that maps arches which have it enabled
>> > to a single RPM macro.
>> > 
>> > Anyway, that's likely future work.
> 
> Find attached two patches to go down that route.
>
> The first creates a new macro in the spec file to make "signing modules"
> and "signing kernels for UEFI secure boot" independent from each other.
> This is pretty straightforward and could be applied as is, as afterwards
> it if more obvious what happens. I fired a scratch build to verify
> mod-sign and pesign are still called just like before on %{ix86} x86_64.
> Results can be found via
> http://koji.fedoraproject.org/koji/taskinfo?taskID=12376294 The arm
> build log shows that mod-sign and pesign are still not called.
> 
> The second patch enables module signing for all archs. Scratch builds
> for primary archs:
> http://koji.fedoraproject.org/koji/taskinfo?taskID=12376883
> Scratch build for ppc:
> http://ppc.koji.fedoraproject.org/koji/taskinfo?taskID=3033583
> I for now didn't run any of those kernels to verify if things still work
> as I'm unsure what we want to do (hence the RFC in the Subject): On
> which archs do we want to enable module signing? Are there any reasons
> to not enable it on some archs? Is the overhead considered to big for
> armv7? Does it work everywhere?

Peter on IRC said the overhead for armv7 is no problem from is point of
view and Josh seems to be fine with the whole idea as well. Here is a
fresh scratch build to show that the stuff still builds on x86-32,
x86-64 and armv7:
http://koji.fedoraproject.org/koji/taskinfo?taskID=13251682

CU, knurd
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/kernel@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora General Discussion]     [Older Fedora Users Archive]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Tux]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [USB]     [Asterisk PBX]

  Powered by Linux