Package: src:linux
Severity: normal
Kernel module signature verification can be enabled using the
`module.sig_enforce=1` kernel parameter on non-EFI systems.
On non-EFI systems, `mokutil` won't work. But then how could one enroll
the key without needing to recompile grub or the kernel?
Can `/var/lib/dkms/mok.pub` be enrolled using `keyctl`? Probably not. As
per kernel manual. [1]
> Note, however, that the kernel will only permit keys to be added to
.builtin_trusted_keys if the new key's X.509 wrapper is validly signed
by a key that is already resident in the .builtin_trusted_keys at the
time the key was added.
Upstream DKMS thinks DKMS is the wrong place to do this.
Cheers,
Patrick
[1] https://www.kernel.org/doc/html/v6.6/admin-guide/module-signing.html
[2] https://github.com/dell/dkms/issues/359