Package: src:linux Version: 5.2.9-2 Severity: important Dear Maintainer,
I've updated kernel from 4.19 to 5.2 and kernel stopped accepting modules signed with MOK key. I have secure boot enabled on my system and enrolled generated MOK key. I use some out-of-tree modules that use DKMS. In the previous version of the kernel I was signing those modules with the MOK key and they loaded just fine as MOK key was loaded into the trusted keyring in the kernel. After the kernel update, MOK key gets inserted into the .platform keyring (I see CONFIG_INTEGRITY_PLATFORM_KEYRING is set to true in the kernel config) which apparently isn't used for validation of module signatures so I'm unable to load MOK signed modules. I would expect this to still work as the only option I have right now for using DKMS modules is building and using my own kernel image... This is also the method described in https://wiki.debian.org/SecureBoot. I've found this related bug in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1701096. There are some links to upstream patches but I've just checked linux master and kernel/module_signing.c is still using only secondary_trusted_keyring and builtin_trusted_keyring to verify modules signatures. Thank you, Marek Rusinowski
