Skip to content

Commit b1859a6

Browse files
committed
fix: enable IMA so MOK-signed modules load under Secure Boot
linux-cachyos builds with IMA disabled, so arch_ima_get_secureboot() is a stub that returns false and load_uefi_certs() returns before load_moklist_certs(). MOK keys are never loaded into the .machine keyring, so MOK-signed modules (DKMS: openrazer, nvidia-dkms, etc.) cannot load under Secure Boot. Enable IMA across all kernel variants, matching the Fedora packaging fix in copr-linux-cachyos (a0407947). On EFI x86, IMA_SECURE_AND_OR_TRUSTED_BOOT is implied once IMA + IMA_ARCH_POLICY are set. No new module-signing requirement is added: the x86 secure-boot IMA policy only adds appraise rules when MODULE_SIG/KEXEC_SIG are off, and both are already enabled, so only measurement rules are added. Closes #862
1 parent 1d38a1c commit b1859a6

10 files changed

Lines changed: 110 additions & 0 deletions

File tree

linux-cachyos-bmq/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,17 @@ prepare() {
288288
scripts/config -e CACHY
289289
fi
290290

291+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
292+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
293+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
294+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
295+
# (copr-linux-cachyos commit a0407947). See #862.
296+
scripts/config -e CONFIG_IMA \
297+
-e CONFIG_IMA_APPRAISE \
298+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
299+
-e CONFIG_IMA_ARCH_POLICY \
300+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
301+
291302
### Selecting the CPU scheduler
292303
case "$_cpusched" in
293304
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-bore/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,17 @@ prepare() {
288288
scripts/config -e CACHY
289289
fi
290290

291+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
292+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
293+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
294+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
295+
# (copr-linux-cachyos commit a0407947). See #862.
296+
scripts/config -e CONFIG_IMA \
297+
-e CONFIG_IMA_APPRAISE \
298+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
299+
-e CONFIG_IMA_ARCH_POLICY \
300+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
301+
291302
### Selecting the CPU scheduler
292303
case "$_cpusched" in
293304
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-deckify/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -289,6 +289,17 @@ prepare() {
289289
scripts/config -e CACHY
290290
fi
291291

292+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
293+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
294+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
295+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
296+
# (copr-linux-cachyos commit a0407947). See #862.
297+
scripts/config -e CONFIG_IMA \
298+
-e CONFIG_IMA_APPRAISE \
299+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
300+
-e CONFIG_IMA_ARCH_POLICY \
301+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
302+
292303
### Selecting the CPU scheduler
293304
case "$_cpusched" in
294305
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-eevdf/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,17 @@ prepare() {
291291
scripts/config -e CACHY
292292
fi
293293

294+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
295+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
296+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
297+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
298+
# (copr-linux-cachyos commit a0407947). See #862.
299+
scripts/config -e CONFIG_IMA \
300+
-e CONFIG_IMA_APPRAISE \
301+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
302+
-e CONFIG_IMA_ARCH_POLICY \
303+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
304+
294305
### Selecting the CPU scheduler
295306
case "$_cpusched" in
296307
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-hardened/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,17 @@ prepare() {
288288
scripts/config -e CACHY
289289
fi
290290

291+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
292+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
293+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
294+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
295+
# (copr-linux-cachyos commit a0407947). See #862.
296+
scripts/config -e CONFIG_IMA \
297+
-e CONFIG_IMA_APPRAISE \
298+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
299+
-e CONFIG_IMA_ARCH_POLICY \
300+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
301+
291302
### Selecting the CPU scheduler
292303
case "$_cpusched" in
293304
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-lts/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -287,6 +287,17 @@ prepare() {
287287
scripts/config -e CACHY
288288
fi
289289

290+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
291+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
292+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
293+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
294+
# (copr-linux-cachyos commit a0407947). See #862.
295+
scripts/config -e CONFIG_IMA \
296+
-e CONFIG_IMA_APPRAISE \
297+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
298+
-e CONFIG_IMA_ARCH_POLICY \
299+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
300+
290301
### Selecting the CPU scheduler
291302
case "$_cpusched" in
292303
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-rc/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -332,6 +332,17 @@ prepare() {
332332
scripts/config -e CACHY
333333
fi
334334

335+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
336+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
337+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
338+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
339+
# (copr-linux-cachyos commit a0407947). See #862.
340+
scripts/config -e CONFIG_IMA \
341+
-e CONFIG_IMA_APPRAISE \
342+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
343+
-e CONFIG_IMA_ARCH_POLICY \
344+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
345+
335346
### Selecting the CPU scheduler
336347
case "$_cpusched" in
337348
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-rt-bore/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,17 @@ prepare() {
291291
scripts/config -e CACHY
292292
fi
293293

294+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
295+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
296+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
297+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
298+
# (copr-linux-cachyos commit a0407947). See #862.
299+
scripts/config -e CONFIG_IMA \
300+
-e CONFIG_IMA_APPRAISE \
301+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
302+
-e CONFIG_IMA_ARCH_POLICY \
303+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
304+
294305
### Selecting the CPU scheduler
295306
case "$_cpusched" in
296307
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos-server/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -288,6 +288,17 @@ prepare() {
288288
scripts/config -e CACHY
289289
fi
290290

291+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
292+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
293+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
294+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
295+
# (copr-linux-cachyos commit a0407947). See #862.
296+
scripts/config -e CONFIG_IMA \
297+
-e CONFIG_IMA_APPRAISE \
298+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
299+
-e CONFIG_IMA_ARCH_POLICY \
300+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
301+
291302
### Selecting the CPU scheduler
292303
case "$_cpusched" in
293304
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

linux-cachyos/PKGBUILD

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -328,6 +328,17 @@ prepare() {
328328
scripts/config -e CACHY
329329
fi
330330

331+
### Enable Secure Boot support (load MOK keys into the .machine keyring)
332+
# Without IMA, arch_ima_get_secureboot() is a stub returning false, so
333+
# load_uefi_certs() returns before load_moklist_certs() and MOK-signed
334+
# modules cannot load under Secure Boot. Mirrors the Fedora packaging
335+
# (copr-linux-cachyos commit a0407947). See #862.
336+
scripts/config -e CONFIG_IMA \
337+
-e CONFIG_IMA_APPRAISE \
338+
-e CONFIG_IMA_APPRAISE_BOOTPARAM \
339+
-e CONFIG_IMA_ARCH_POLICY \
340+
-e CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT
341+
331342
### Selecting the CPU scheduler
332343
case "$_cpusched" in
333344
cachyos|bore|hardened) scripts/config -e SCHED_BORE;;

0 commit comments

Comments
 (0)