On Mon, 2024-07-08 at 05:29 +0200, Christoph Anton Mitterer wrote: > Hello there. > > > I just wondered whether it has even been considered to make just one > package which contains the actual kernel+modules, and another one that > contains the signatures?
Yes, I experimented with this in early 2016 and it didn't work well. > I'm not an expert when it comes to the binary layout of that, but > AFAIU, the modules are anyway the same between the signed/unsigned > versions. This is true now. Originally the modules were signed separately from the kernel build, so there was much less duplication between the signed and unsigned binary packages. > The vmlinuz between signed/unsigned is mostly the same (guess the main > difference is the appended signature). > > > So what if there were e.g.: > - ONLY linux-image-6.9.7-amd64 (and no -unsigned counterpart) which is > actually unsigned > - linux-image-6.9.7-amd64-signature > which contains the information to patch the vmlinuz from > linux-image-6.9.7-amd64 to one that supports secureboot Patching at installation time would be tricky to get right. In my experiment I changed kmod to read detached signatures at load time, so module files didn't have to be changed. I couldn't rely on making the same sort of change to boot loaders, so I duplicated vmlinuz. [...] > Disadvantages or open questions would probably at least be: > - How to make sure that people who actually use secureboot, don't > upgrade to the then unsigned kernel when the -signature is still > missing? And when the new linux-image (unsigned) package is installed, how do will its postinst decide whether it should call postinst hooks immediately or leave that to the signature package? > - Would there be then two vmlinuz files (one with, one without > signature? > If so, possible chances for confusion and probably a lot code would > need to be adapted to cope with that (like grub scripts or so?). > If not, at least things like debsums would fail (once the signature > would have been binary patched). [...] I think there have to be two complete vmlinuz files in separate packages. But the modules etc. could go in a third package that those both depend on. If we want to allow installing new unsigned linux-image packages automatically then there's still a need for some mechanism to avoid accidental installation of a newer unsigned linux-image on a system that needs them to be signed. Ben. -- Ben Hutchings Who are all these weirdos? - David Bowie, on joining IRC
signature.asc
Description: This is a digitally signed message part
