Kernel Unsigned Landing PPA

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Kernel Unsigned Landing PPA

José Humberto
Hello

My name is Jose and I want to know why all kernels since 4.14.35 are
unsigned.
That can be a problem about security?
Because we haven't a signed kernel at PPA since 2 months ago and I'm
worried about the problems that this can be for who uses the kernel from
the official PPA. Problems like modules unsigned or something on UEFI.

Thanks so much

Jose


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: Kernel Unsigned Landing PPA

Seth Forshee
On Mon, Jun 25, 2018 at 01:44:56AM -0300, José Humberto wrote:
> Hello
>
> My name is Jose and I want to know why all kernels since 4.14.35 are
> unsigned.

Based on the version I take it you are referring to the mainline builds
at http://kernel.ubuntu.com/~kernel-ppa/mainline/ ?

> That can be a problem about security?
> Because we haven't a signed kernel at PPA since 2 months ago and I'm worried
> about the problems that this can be for who uses the kernel from the
> official PPA. Problems like modules unsigned or something on UEFI.

I'm not sure what you mean by "official" here. Yes, they are produced by
the Ubuntu kernel team, but only for testing purposes. They are not
supported, and we do not recommend them for everyday use.

To my knowledge those kernels have never been signed. The modules should
be signed with an ephemral key generated at build time, but that key
would not have a chain of trust for UEFI secure boot, and the kernel
images would not have been signed with that key regardless.

Maybe I'm misunderstanding your question. If so, please clarify.

Seth

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team