| Message ID | PRAPR10MB54224613640C377A55D8D49580E72@PRAPR10MB5422.EURPRD10.PROD.OUTLOOK.COM |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | doc/user_manual: mention EFI variable access and platform keyring for module signing | expand |
On 20.01.25 19:27, 'Cetin, Gokhan' via isar-users wrote: > Enrolling MOK or importing platform keys is not possible without access to EFI variables. > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > --- > doc/user_manual.md | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 62d16c8c..bb8eb21b 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -1127,7 +1127,15 @@ modprobe example-module > mokutil --import /etc/sb-mok-keys/MOK/MOK.der > ``` > > -Use the previously definded password to enroll the key, then reboot. > +Use the previously defined password to enroll the key, then reboot. > + > +If EFI variable access is disabled on kernel (due to high latencies under RT kernel), > +enrolling will result in failure `EFI variables are not supported on this system`. > +EFI variable access can be enabled by passing `efi=runtime` kernel parameter. > + Not sure if you two discussed that yesterday as well, but Felix and I did: This eventually needs to be addressed in the mainline kernel, likely by permitting efi variable access while still blocking other runtime services. Those are much harder to manage in a running system than efivarfs which could simply be unmounted once the RT job starts and remounted when it is stopped. Jan > +Similarly, in cases where EFI variables are not supported, the system will not be able > +to import the keys defined on the platform in the kernel platform keyring. This will also > +result in kernel modules not being verified if they are signed with one of these platform keys. > > **Boot self-signed image**: >
On Mon, 2025-01-20 at 18:27 +0000, 'Cetin, Gokhan' via isar-users wrote: > Enrolling MOK or importing platform keys is not possible without > access to EFI variables. > > Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> > --- > doc/user_manual.md | 10 +++++++++- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 62d16c8c..bb8eb21b 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -1127,7 +1127,15 @@ modprobe example-module > mokutil --import /etc/sb-mok-keys/MOK/MOK.der > ``` > > -Use the previously definded password to enroll the key, then reboot. > +Use the previously defined password to enroll the key, then reboot. > + > +If EFI variable access is disabled on kernel (due to high latencies > under RT kernel), > +enrolling will result in failure `EFI variables are not supported on > this system`. > +EFI variable access can be enabled by passing `efi=runtime` kernel > parameter. > + > +Similarly, in cases where EFI variables are not supported, the > system will not be able > +to import the keys defined on the platform in the kernel platform > keyring. This will also > +result in kernel modules not being verified if they are signed with > one of these platform keys. > > **Boot self-signed image**: > > -- > 2.39.2 > Applied to next, thanks.
diff --git a/doc/user_manual.md b/doc/user_manual.md index 62d16c8c..bb8eb21b 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -1127,7 +1127,15 @@ modprobe example-module mokutil --import /etc/sb-mok-keys/MOK/MOK.der ``` -Use the previously definded password to enroll the key, then reboot. +Use the previously defined password to enroll the key, then reboot. + +If EFI variable access is disabled on kernel (due to high latencies under RT kernel), +enrolling will result in failure `EFI variables are not supported on this system`. +EFI variable access can be enabled by passing `efi=runtime` kernel parameter. + +Similarly, in cases where EFI variables are not supported, the system will not be able +to import the keys defined on the platform in the kernel platform keyring. This will also +result in kernel modules not being verified if they are signed with one of these platform keys. **Boot self-signed image**:
Enrolling MOK or importing platform keys is not possible without access to EFI variables. Signed-off-by: Gokhan Cetin <gokhan.cetin@siemens.com> --- doc/user_manual.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)