From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=N9L1=IW=kernelnewbies.org=kernelnewbies-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.5 required=3.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id CDB16C433C1
	for <kernelnewbies@archiver.kernel.org>; Wed, 24 Mar 2021 15:18:22 +0000 (UTC)
Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 6492961A06
	for <kernelnewbies@archiver.kernel.org>; Wed, 24 Mar 2021 15:18:22 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6492961A06
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=vt.edu
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernelnewbies-bounces@kernelnewbies.org
Received: from localhost ([::1] helo=shelob.surriel.com)
	by shelob.surriel.com with esmtp (Exim 4.94)
	(envelope-from <kernelnewbies-bounces@kernelnewbies.org>)
	id 1lP5Gj-0001TP-C6; Wed, 24 Mar 2021 11:18:01 -0400
Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729])
 by shelob.surriel.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94)
 (envelope-from <valdis@vt.edu>) id 1lP5Gi-0001TJ-C3
 for kernelnewbies@kernelnewbies.org; Wed, 24 Mar 2021 11:18:00 -0400
Received: by mail-qk1-x729.google.com with SMTP id y5so16803904qkl.9
 for <kernelnewbies@kernelnewbies.org>; Wed, 24 Mar 2021 08:17:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=vt-edu.20150623.gappssmtp.com; s=20150623;
 h=sender:from:to:cc:subject:in-reply-to:references:mime-version
 :content-transfer-encoding:date:message-id;
 bh=w0TUx8cc+wtNj+aqE7xIIvctt+wAfwg7YjdQ3OWF1Vg=;
 b=jn0p2RKIU/Itm4zyGIEGifyBNQjuKUS3ytSs9IojN6piZbqE4bHOhrS3qobHBTWPxb
 PZnZtGcHg/ve8Kq2/T/tYSbX4NzUblhsPtLeY/AH0mipMj4rZiZkWviSYhJw590ScNMM
 uD3g32YknTPx/mnvS80EG74d/V6CdaKjHbJ0wQAAaUJaiqrudIcNZeEjP2yjC/O2norj
 MP46R7lE78dWyirO8HqZMeercR8eJs/Kr130LwqCRZFeIqpSJZd5qZBTtin5Zn7Jnqx/
 BFE5YDtKop83hppWkOWPdKdAab5ElPgNsBE3eAP8N1yCmgg9O1w2ahEni+4lfSGa1+2e
 62pA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:in-reply-to:references
 :mime-version:content-transfer-encoding:date:message-id;
 bh=w0TUx8cc+wtNj+aqE7xIIvctt+wAfwg7YjdQ3OWF1Vg=;
 b=eR+nZOZsWkkF7bmnte4jGG05Nio3jflQx7ZgBYHUt3CqWRraLh6L+qHL7sYKPkcSst
 h1lOB6Cjqkf0LUhj/46Xov0DgIpTEsIvt7Lw/+K1Gp11pozKfkOwnwQl84IGaTfDbrVb
 9QAqZkcakYMTL6Q98D7vOgj3rQFwr/+m4P4Ub6X91G59oZgIQtCa6+fI1iFTIsrBg8Q6
 TbnDuwJtMAX6jrcUiSnnnw6oIWofwNCJXgsBNP3Ger8i+6MLpgf0L4H+VxSjlTpA9xrY
 ni4FODXMdhmYHqSEqmqYa4V6zfhZCJ3qXlNewzu/B0pnlpbEB+t94WsNAFpg6y9esau5
 5vUw==
X-Gm-Message-State: AOAM533Zcq6raX0kFQRkd0waGQc2yXyWUGus0pVAclPtHkQjm3BP8Mos
 U1KiqDlef7V57tnChrvKleTyoA==
X-Google-Smtp-Source: ABdhPJy9ymQKCXx2aEYuvk56F81M1v/mDLPrgmegPaK0o5AKOvt12WqMe3zB1eH8MqQ+YBoWKbZNbQ==
X-Received: by 2002:a37:d17:: with SMTP id 23mr3503705qkn.191.1616599079201;
 Wed, 24 Mar 2021 08:17:59 -0700 (PDT)
Received: from turing-police ([2601:5c0:c380:d61::359])
 by smtp.gmail.com with ESMTPSA id p66sm1955923qka.108.2021.03.24.08.17.58
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 24 Mar 2021 08:17:58 -0700 (PDT)
From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks" <valdis.kletnieks@vt.edu>
X-Google-Original-From: "Valdis Kl=?utf-8?Q?=c4=93?=tnieks"
 <Valdis.Kletnieks@vt.edu>
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7+dev
To: Gidi Gal <gidi.gal.linux@gmail.com>
Subject: Re: "Invalid signature" issue on dev kernel launch
In-Reply-To: <CAB+0VomZ52MLy9Ehxcjit=xs0OpWE0ne+g8y_qxYFZCPwLLsYg@mail.gmail.com>
References: <CAB+0Vo=sf=fxHyqvC=d5Yka00EnRbwuCpJFJvSbg09e7cK9VMg@mail.gmail.com>
 <CAFSeFg_hPVRfOAtb7mRqCufEbR8COeJBW1hryTWad5geKtM3eQ@mail.gmail.com>
 <CAB+0VomZ52MLy9Ehxcjit=xs0OpWE0ne+g8y_qxYFZCPwLLsYg@mail.gmail.com>
Mime-Version: 1.0
Date: Wed, 24 Mar 2021 11:17:57 -0400
Message-ID: <109999.1616599077@turing-police>
Cc: Aruna Hewapathirane <aruna.hewapathirane@gmail.com>,
 kernelnewbies@kernelnewbies.org
X-BeenThere: kernelnewbies@kernelnewbies.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Learn about the Linux kernel <kernelnewbies.kernelnewbies.org>
List-Unsubscribe: <https://lists.kernelnewbies.org/mailman/options/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=unsubscribe>
List-Archive: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/>
List-Post: <mailto:kernelnewbies@kernelnewbies.org>
List-Help: <mailto:kernelnewbies-request@kernelnewbies.org?subject=help>
List-Subscribe: <https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies>, 
 <mailto:kernelnewbies-request@kernelnewbies.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2342864286313055897=="
Errors-To: kernelnewbies-bounces@kernelnewbies.org

--===============2342864286313055897==
Content-Type: multipart/signed; boundary="==_Exmh_1616599077_11646P";
	 micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit

--==_Exmh_1616599077_11646P
Content-Type: text/plain; charset=us-ascii

On Wed, 24 Mar 2021 14:58:05 +0200, you said:

> What kind of changes in the kernel require testing with valid signatures ?

Pretty much only changes that affect module signing.

If your threat model doesn't include "hacker sticks rogue module on
your box and gets it loaded to install backdoor", you can turn off
module signing on your self-compiled kernels.  Distros don't do that,
because those kernels *do* get installed on high-value targets where
"hacker installs backdoor kernel module" is very much part of the threat model.

Conversely, you can get secure boot to work with self-compiled kernels, but you
have to create a local trusted signature, feed it to the bios/efi, then sign
grub2 with that signature, and then lather/rinse repeat, telling grub2 about a
certificate used to sign the kernel, and then enable kernel module signing.
Very much a  "some assembly required" procedure, and you have to remember to
re-sign grub2 whenever it's updated.


--==_Exmh_1616599077_11646P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.9.0 11/07/2018

iQIVAwUBYFtYJAdmEQWDXROgAQI9sw//bV3T8WKPqi7UO2QfyGJD1DZjaSlymgmm
mqLTp+5QXm59E/jruwqpUOrRVy7v9QqkSrdKRPMZ0+lwFrDKIA1XCKNsAYhTJOPj
ycX8IQ+4vwDQkuxpTB9p8Ys0mE9C8Rqh1ZXkZF0zAM3uSvwyWeaPm8Cq8SnZ3WB6
fUt8+x7RMrU/3/F8qSjUos2jmD+Qg9jrPYc/2jb9A2tXMyDmms0UqcavdKk5RTCL
B0HJnJpnEi59kliIs5jRAiDqg6FAHyHRiWZbvMDmXbQHDmgcB+XO4z907QJbXODB
gW/ZnTSmHuh2sf47Kag/nrAKnqiXTWQom8q82xXLHNmZ54/4vppn5QBiHmaNQtAl
h7hva8iTlMtuSjNBBgY6Jrk+tlOOcraMWGe9izVeVJYo9AQzggxpPYFbb4tPpfEG
PFDF81FXdLe7z1czhQ2BVTctlaorL72m/+XQtlSYFzcuk17YJzZTlyE0p3/b+yQ8
aPu9fXfbpqBcqrK5vqkBcTxSDQEKGTYtLws+4IOfi43GS6FQgGyK1ADchmR+4tRz
pWmAkX1YzXAouxsZhuueiz2mxWQQOEHqvUQ/RpE3mk5yIFyXl0TZjz2kqh6M09sM
jTKJd3ng4krJ8el1ewkNUUYlFttY7Az8JuWprIXDtplOPpqAaaACCmdX56832xK3
cMZ1P79kKOg=
=nFAj
-----END PGP SIGNATURE-----

--==_Exmh_1616599077_11646P--


--===============2342864286313055897==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

--===============2342864286313055897==--