Copy kmod signing key from ~canonical-signing/ubuntu/primary to ~canonical-signing/ubuntu/fips

Asked by Andy Whitcroft on 2021-04-08

Kernels for FIPS (linux-*fips) are signed with a different EFI master key and therefore pass through a different signing PPA (~canonical-signing/ubuntu/fips). However, support for loading externally signed modules (those signed with the Canonical Kernel Module key) such as Nvidia uses a common module signing key. It is possible to handle this with the existing PPA setup, passing linux{,-.signed}-fips through the fips signing PPA and linux-restricted-{generate,signatures} through the primary signing PPA, but this greatly complicates routing these packages.

It should be noted that a module signed with the drivers key can still only be loaded into the specific kernel for which it is compiled as we have (the recommended) MODVERSION configuration enabled. So there is no risk of these semi-private artifacts being loaded into our public kernels.

Could we get the KMOD key for the ~canonical-signing/ubuntu/fips PPA pointed to the same key as ~canonical-signing/ubuntu/primary.

Question information

English Edit question
Launchpad itself Edit question
No assignee Edit question
Last query:
Last reply:
Colin Watson (cjwatson) said : #1


Can you help with this problem?

Provide an answer of your own, or ask Andy Whitcroft for more information if necessary.

To post a message you must log in.