[PATCH RFC 0/1] module: Optionally use .platform keyring for signatures verification
Eric Snowberg
eric.snowberg at oracle.com
Thu Jun 5 13:35:06 UTC 2025
> On Jun 5, 2025, at 1:54 AM, Vitaly Kuznetsov <vkuznets at redhat.com> wrote:
>
> 'certwrapper' offers _a_ solution which is great. It may, however, not
> be very convenient to use when a user wants to re-use the same OS image
> (e.g. provided by the distro vendor) for various different use-cases as
> proper 'certwrapper' binary needs to be placed on the ESP (and thus
> we'll end up with a bunch of images instead of one). 'db' is different
> because it normally lives outside of the OS disk so it is possible to
> register the exact same OS image with different properties (e.g. with
> and without a custom cert which allows to load third party modules).
Could you please provide more details? The kernel module is signed with
a specific key. The ‘db’ key in the cloud image must match whatever key
was used to sign the kernel module.
Why can’t the RPM package that contains the kernel module also include
the required ‘certwrapper’? When the RPM is installed, the appropriate
‘certwrapper’ is placed on the ESP. There can be any number of 'certwrappers'
in the ESP. Doesn’t this solution address the issue?
More information about the Linux-security-module-archive
mailing list