Enabling third-party modules in a secure boot environment

You can enable third-party kernel modules by uploading their public-key certificates.

About this task

When Linux® is booted in secure boot mode, kernel-module signature-verification is automatically enforced. To perform the verification of module signatures, current Linux distributions only use public keys in the kernel platform and built-in keyrings.

Draft comment: maria1@de.ibm.com
Use of "current"; change for next edition? "Some distributions"? Those listed in the requirements?

This prevents loading of kernel modules provided by third-party vendors, even if these modules are correctly signed, if the public key of the vendor is not contained in the kernel platform key ring.

Procedure

To enable loading of signed third-party kernel modules, upload the corresponding third-party public key certificate to the IBM Z HMC.
Use the Secure Boot Certificate management task, similar to how Linux distributor certificates are uploaded.
Reboot Linux.

Results

During boot, the third-party key is added to the Linux platform keyring, from where it is used to verify kernel module signatures.