You are not logged in.
- Topics: Active | Unanswered
#1 2023-06-11 17:25:29
- opotonil
- Member
- Registered: 2009-09-12
- Posts: 45
Signed kernel modules with nvidia from Arch official repositories
I am trying to add a little more of security to my system. I have started with something that seems simple, enabling modules verification with kernel parameter "module.sig_enforce=1" but then the Nvidia modules, from Arch official repositories, don't load.
Is there a reason why they are not signed? Would it be reasonable to open a bug suggesting that they be signed?
Could I sign them manually or better using a pacman hook (without having to switch to nvidia-dkms to rebuild them)?
Offline
#2 2023-06-11 19:18:26
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,885
Re: Signed kernel modules with nvidia from Arch official repositories
The signing key is generated per build and not retained, so it can not be used to sign modules in other packages.
https://gitlab.archlinux.org/archlinux/ … ags#L10841
https://www.kernel.org/doc/Documentatio … igning.rst
Last edited by loqs (2023-06-11 19:18:57)
Offline
#3 2023-06-11 20:00:15
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,311
Re: Signed kernel modules with nvidia from Arch official repositories
The signing key is generated per build and not retained, so it can not be used to sign modules in other packages.
The bug/feature request for that is here: https://bugs.archlinux.org/task/64793
And the wiki for building a custom kernel with a module signing key: https://wiki.archlinux.org/title/Signed_kernel_modules
Last edited by progandy (2023-06-11 20:01:33)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#4 2023-06-12 13:10:34
- opotonil
- Member
- Registered: 2009-09-12
- Posts: 45
Re: Signed kernel modules with nvidia from Arch official repositories
So it won't be that easy...
I'm curious how Fedora does it with the Nvidia driver. It forces modules verification by default, If I'm not wrong, and I don't think it shares the key with RPM Fusion.
Last edited by opotonil (2023-06-12 13:21:07)
Offline
#5 2023-06-12 15:35:57
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,311
Re: Signed kernel modules with nvidia from Arch official repositories
Last I remember, Fedora has added patches to the kernel to accept UEFI or MOK certificates for module signatures. Maybe rpm fusion uses that.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' | alias ENGLISH='LANG=C.UTF-8 ' |
Offline
#6 2023-06-12 18:22:12
- opotonil
- Member
- Registered: 2009-09-12
- Posts: 45
Re: Signed kernel modules with nvidia from Arch official repositories
I think you're right:
https://rpmfusion.org/Howto/Secure%20Boot
Thanks. I was beginning to think that there was some relationship between Secure Boot and modules signing, now I understand that it is a peculiarity of Fedora.
Offline