diff mbox series

[RFC,2/2] docs: Update kernel-parameters.txt for signature verification enhancement

Message ID 20230914112739.112729-3-alessandro.carminati@gmail.com (mailing list archive)
State New, archived
Headers show
Series Enhancing Boot Speed and Security with Delayed Module Signature Verification | expand

Commit Message

Alessandro Carminati (Red Hat) Sept. 14, 2023, 11:27 a.m. UTC 
Update kernel-parameters.txt to reflect new deferred signature
verification.
Enhances boot speed by allowing unsigned modules in initrd after
bootloader check.

Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
---
 Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++
 1 file changed, 9 insertions(+)

Comments

Randy Dunlap Sept. 15, 2023, 3:59 p.m. UTC | #1 
On 9/14/23 04:27, Alessandro Carminati (Red Hat) wrote:
> Update kernel-parameters.txt to reflect new deferred signature
> verification.
> Enhances boot speed by allowing unsigned modules in initrd after
> bootloader check.
> 
> Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
> ---
>  Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 0c38a8af95ce..beec86f0dd05 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3410,6 +3410,15 @@
>  			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>  			is always true, so this option does nothing.
>  
> +	module_sig_check_wait=
> +			This parameter enables delayed activation of module
> +			signature checks, deferring the process until userspace
> +			triggers it. Once activated, this setting becomes
> +			permanent and cannot be reversed. This feature proves
> +			valuable for incorporating unsigned modules within
> +			initrd, especially after bootloader verification.
> +			By employing this option, boot times can be quicker.
> +

Please keep the entries here in alphabetical order.
This new entry should be after module_blacklist, not before it.
Thanks.

>  	module_blacklist=  [KNL] Do not load a comma-separated list of
>  			modules.  Useful for debugging problem modules.
>
Prarit Bhargava Nov. 8, 2023, 3:33 p.m. UTC | #2 
On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote:
> Update kernel-parameters.txt to reflect new deferred signature
> verification.
> Enhances boot speed by allowing unsigned modules in initrd after
> bootloader check.
> 
> Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
> ---
>   Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++
>   1 file changed, 9 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 0c38a8af95ce..beec86f0dd05 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -3410,6 +3410,15 @@
>   			Note that if CONFIG_MODULE_SIG_FORCE is set, that
>   			is always true, so this option does nothing.
>   
> +	module_sig_check_wait=
> +			This parameter enables delayed activation of module
> +			signature checks, deferring the process until userspace
> +			triggers it. Once activated, this setting becomes
> +			permanent and cannot be reversed. This feature proves
> +			valuable for incorporating unsigned modules within
> +			initrd, especially after bootloader verification.
> +			By employing this option, boot times can be quicker.
> +

Please keep these in alphabetical order.

Would making the kernel-parameters.txt warning a little bit more 
informative be a good thing?  This should only be used in environments 
where some other signature verification method is employed.

Also, for future reference, it would be good to have hard numbers to 
show the boot time improvement in the changelog.

P.

>   	module_blacklist=  [KNL] Do not load a comma-separated list of
>   			modules.  Useful for debugging problem modules.
>
Alessandro Carminati (Red Hat) Nov. 9, 2023, 10:40 a.m. UTC | #3 
Hello Prarit,

Il giorno mer 8 nov 2023 alle ore 16:33 Prarit Bhargava
<prarit@redhat.com> ha scritto:
>
> On 9/14/23 07:27, Alessandro Carminati (Red Hat) wrote:
> > Update kernel-parameters.txt to reflect new deferred signature
> > verification.
> > Enhances boot speed by allowing unsigned modules in initrd after
> > bootloader check.
> >
> > Signed-off-by: Alessandro Carminati (Red Hat) <alessandro.carminati@gmail.com>
> > ---
> >   Documentation/admin-guide/kernel-parameters.txt | 9 +++++++++
> >   1 file changed, 9 insertions(+)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index 0c38a8af95ce..beec86f0dd05 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -3410,6 +3410,15 @@
> >                       Note that if CONFIG_MODULE_SIG_FORCE is set, that
> >                       is always true, so this option does nothing.
> >
> > +     module_sig_check_wait=
> > +                     This parameter enables delayed activation of module
> > +                     signature checks, deferring the process until userspace
> > +                     triggers it. Once activated, this setting becomes
> > +                     permanent and cannot be reversed. This feature proves
> > +                     valuable for incorporating unsigned modules within
> > +                     initrd, especially after bootloader verification.
> > +                     By employing this option, boot times can be quicker.
> > +
>
> Please keep these in alphabetical order.
>
> Would making the kernel-parameters.txt warning a little bit more
> informative be a good thing?  This should only be used in environments
> where some other signature verification method is employed.
>
> Also, for future reference, it would be good to have hard numbers to
> show the boot time improvement in the changelog.
I'll do the necessary adjustments in the v2, thank you for your feedback.
>
> P.
>
> >       module_blacklist=  [KNL] Do not load a comma-separated list of
> >                       modules.  Useful for debugging problem modules.
> >
>
diff mbox series

Patch

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index 0c38a8af95ce..beec86f0dd05 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -3410,6 +3410,15 @@ 
 			Note that if CONFIG_MODULE_SIG_FORCE is set, that
 			is always true, so this option does nothing.
 
+	module_sig_check_wait=
+			This parameter enables delayed activation of module
+			signature checks, deferring the process until userspace
+			triggers it. Once activated, this setting becomes
+			permanent and cannot be reversed. This feature proves
+			valuable for incorporating unsigned modules within
+			initrd, especially after bootloader verification.
+			By employing this option, boot times can be quicker.
+
 	module_blacklist=  [KNL] Do not load a comma-separated list of
 			modules.  Useful for debugging problem modules.