Pre-flight checklist
Request type
Summary
linux-cachyos builds with IMA disabled (# CONFIG_IMA is not set and # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set). With those off, arch_ima_get_secureboot() is a stub that always returns false (include/linux/ima.h), so load_uefi_certs() in security/integrity/platform_certs/load_uefi.c returns before load_moklist_certs() and MOK keys are never loaded into the .machine keyring:
/* the MOK/MOKx can not be trusted when secure boot is disabled */
if (!arch_ima_get_secureboot())
return 0;
The result is that MOK-signed kernel modules can't be loaded under Secure Boot.
Proposed change: enable the same options the Fedora packaging already uses —
CONFIG_IMA, CONFIG_IMA_APPRAISE, CONFIG_IMA_APPRAISE_BOOTPARAM, CONFIG_IMA_ARCH_POLICY, CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT. On EFI x86, IMA_SECURE_AND_OR_TRUSTED_BOOT is implied once IMA + IMA_ARCH_POLICY are on.
Motivation / use case
With Secure Boot on (lockdown=integrity), DKMS modules (openrazer-dkms, nvidia-dkms, etc.) signed with the DKMS MOK key fail to load even after the key is enrolled and trusted:
modprobe: ERROR: could not insert 'razerkbd': Operation not permitted
Lockdown: modprobe: unsigned module loading is restricted
The key is enrolled and trusted (mokutil --list-enrolled and mokutil --trust-mok confirm it), but .machine stays empty. dmesg shows the UEFI:db certs loading into .platform but no UEFI:MokListRT line, even though MokListRT and MokListTrustedRT are present in the mokvar table. Enabling IMA fixes it.
This does not add a new module-signing requirement: the x86 secure-boot IMA policy only adds appraise func=MODULE_CHECK/KEXEC_KERNEL_CHECK rules when MODULE_SIG/KEXEC_SIG are off, and both are already enabled, so only measurement rules are added.
Patch / upstream reference
Already reported and fixed for the Fedora packaging in copr-linux-cachyos:
That commit enabled IMA in the .spec files; the Arch PKGBUILD never got the same change.
PR with the fix (all kernel variants): #863
Testing / benchmarks
Rebuilt linux-cachyos 7.0.10-2 with these options enabled. After reboot, .machine contains the DKMS key, dmesg shows Loading X.509 certificate: UEFI:MokListRT (MOKvar table), and the modules that were blocked now load. nvidia is unaffected (it's signed by the in-kernel build key, not the MOK).
Pre-flight checklist
Request type
Summary
linux-cachyosbuilds with IMA disabled (# CONFIG_IMA is not setand# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set). With those off,arch_ima_get_secureboot()is a stub that always returns false (include/linux/ima.h), soload_uefi_certs()insecurity/integrity/platform_certs/load_uefi.creturns beforeload_moklist_certs()and MOK keys are never loaded into the.machinekeyring:The result is that MOK-signed kernel modules can't be loaded under Secure Boot.
Proposed change: enable the same options the Fedora packaging already uses —
CONFIG_IMA,CONFIG_IMA_APPRAISE,CONFIG_IMA_APPRAISE_BOOTPARAM,CONFIG_IMA_ARCH_POLICY,CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT. On EFI x86,IMA_SECURE_AND_OR_TRUSTED_BOOTis implied once IMA + IMA_ARCH_POLICY are on.Motivation / use case
With Secure Boot on (lockdown=integrity), DKMS modules (openrazer-dkms, nvidia-dkms, etc.) signed with the DKMS MOK key fail to load even after the key is enrolled and trusted:
The key is enrolled and trusted (
mokutil --list-enrolledandmokutil --trust-mokconfirm it), but.machinestays empty. dmesg shows theUEFI:dbcerts loading into.platformbut noUEFI:MokListRTline, even though MokListRT and MokListTrustedRT are present in the mokvar table. Enabling IMA fixes it.This does not add a new module-signing requirement: the x86 secure-boot IMA policy only adds
appraise func=MODULE_CHECK/KEXEC_KERNEL_CHECKrules when MODULE_SIG/KEXEC_SIG are off, and both are already enabled, so only measurement rules are added.Patch / upstream reference
Already reported and fixed for the Fedora packaging in copr-linux-cachyos:
That commit enabled IMA in the
.specfiles; the ArchPKGBUILDnever got the same change.PR with the fix (all kernel variants): #863
Testing / benchmarks
Rebuilt
linux-cachyos7.0.10-2 with these options enabled. After reboot,.machinecontains the DKMS key, dmesg showsLoading X.509 certificate: UEFI:MokListRT (MOKvar table), and the modules that were blocked now load. nvidia is unaffected (it's signed by the in-kernel build key, not the MOK).