Does the Ubuntu kernel carry a downstream patch which enables loading MOK keys into kernel keyring? For example - cat /proc/keys. Or it uses some configuration to do so?
I want to do what’s described HERE (sign out-of-tree kernel modules), but on Arch.
There also seems to be some tool called kmodsign in Ubuntu’s sbsigntool package, which is not in Arch’s sbsigntools package.
MOK keys are enrolled by mokmanager (mm efi app from shim) into UEFI variable storage.
On boot shim looks those up and mirrors them into UEFI RT variable and a UEFI config table.
Vanilla kernel loads RT variable or UEFI config table keys into the platform keyring.
Ubuntu does not carry any out of tree patches to load MOK keys into the kernel keyring.
However, one must boot with shim to have this work.
The are multiple tools (at least 3?!) that can be used to sign kernel modules. One doesn’t have to use kmodsign.
Thanks for replying! So meanwhile I’ve talked with some Arch fellows and they said that there’s a pending PATCH series and also PATCH which enables trusting the platform key-ring to sign modules.
So it seems that what you said is true, they are indeed loaded into the platform keyring, but platform keyring is not yet used for verifying the modules.
Whilst all of that is true, it depends on which lockdown patches one has, and if one is relying on lockdown to enforce IMA appraisal of modules; or if one is using just the plain enforce kernel module signatures stuff.
On Ubuntu, when secureboot is on, and shim is enforcing validation, we opt into lockdown with ima appraisal enforcement. IMA appraisal already uses platform keys today.
But yes, more things are evolving at the moment around usage of platform keyring.
