kernel-6.7.0: New SHA3 module encryption option. [solved]

[CaptainBlood]

External modules have been signed here with;

[CaptainBlood]

[NathanZachary]

Pardon the ancillary question, but what was your process for having the scripts/sign-file utility available? I don't have that in =sys-kernel/gentoo-sources-6.7.4.

Thank you for your time.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

[NathanZachary]

Hmmmm, looking further into the problem, it might be that I don't have 'CONFIG_MODULE_SIG' set. I wonder if that option toggles the availability of the 'sign-file' script? I would imagine that enabling this option by itself (without 'CONFIG_SECURITY_LOCKDOWN_LSM') would still allow for unsigned modules to load and could fall back on the Secure Boot policy in UEFI.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

[pietinger]

[NathanZachary]

Got it. So, I should be able to check whether 'CONFIG_MODULE_SIG' gives me the `sign-file` script without running the risk of module signatures being enforced. I'll give it a try, and will report my findings. Thank you for confirming.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

[NathanZachary]

I have confirmed that 'CONFIG_MODULE_SIG' is the necessary kernel option that will build the `sign-file` script under /usr/src/$KERNEL/scripts/. It's also responsible for generating the build-time kernel signing key and the .builtin_trusted_keys keyring (which is built at boot time).
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---