| |
@@ -87,7 +87,7 @@
|
| |
else
|
| |
if [ ${loaded} -ne "0" ]
|
| |
then
|
| |
- echo "Successfully enforced signed module"
|
| |
+ echo "Unsigned module load failed in enforcing mode"
|
| |
else
|
| |
echo "Unsigned module loaded in enforcing mode"
|
| |
rmmod minix
|
| |
@@ -98,7 +98,7 @@
|
| |
# cleanup
|
| |
rm ./minix.ko
|
| |
|
| |
- return ${pass}
|
| |
+ return ${fail}
|
| |
}
|
| |
|
| |
modsign_third_party()
|
| |
@@ -110,13 +110,13 @@
|
| |
modsign=0
|
| |
if [ -f /proc/keys ]
|
| |
then
|
| |
- cat /proc/keys | grep system_keyring &> /dev/null
|
| |
+ cat /proc/keys | grep builtin_trusted_keys &> /dev/null
|
| |
if [ $? -ne "0" ]
|
| |
then
|
| |
echo Module signing not enabled
|
| |
exit 3
|
| |
fi
|
| |
- keyring=`cat /proc/keys | grep system_keyring | cut -f 1 -d " "`
|
| |
+ keyring=`cat /proc/keys | grep builtin_trusted_keys | cut -f 1 -d " "`
|
| |
keyctl list 0x${keyring} | grep "Fedora kernel signing key" &> /dev/null
|
| |
if [ $? == "0" ]
|
| |
then
|
| |
@@ -139,6 +139,14 @@
|
| |
|
| |
enforcing=`cat /sys/module/module/parameters/sig_enforce`
|
| |
|
| |
+ # SecureBoot should enforce requirement of valid module signatures regardless of sig_enforce.
|
| |
+ # Check that SecureBoot is enabled in EFI variables
|
| |
+ secureboot=`od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null | awk ' { print $5 } '`
|
| |
+ if [ "$secureboot" == "1" ]
|
| |
+ then
|
| |
+ enforcing="Y"
|
| |
+ fi
|
| |
+
|
| |
# Make sure we actually have signed modules and that they load
|
| |
modsign_check_modules
|
| |
|
| |
pessoft
commented 6 years ago