ec2921da66
Enabling the lockdown module required the enabling of module signature checking which in turn marked the kernel as tainted because our kernel was not signed. Currently the kernel only supports signing with already defeated the SHA-1 algorithm which makes the feature less useful in the first place. Also the current model only works when there's a central authority that signs all modules or you compile the kernel yourself and use your own key for the signatures. We could sign all kernel modules distributed with the kernel with a randomly generated key so they could be verified but that would make out-of-tree modules taint the kernel again. Since adding another key to the keyring requires the key used at build time, it would not be possible to add your own keys to the keyring without having the private key and distributing that one would fundamentally break the public key cryptography security model. So to solve this issue and since the modules weren't signed anyway, disable lsm_lockdown and signature checking for now. If you need a locked down kernel, for now please compile it yourself, enable both features and use your own keypair so you can safely sign all in-tree and custom built modules and they can be properly verified. This also adds a patch for iwlwifi that together with upstream reverts solves issues with some Intel wifi chipsets. fixes #18384 fixes #18355 |
||
|---|---|---|
| .. | ||
| files | ||
| patches | ||
| template | ||