If this is off (ie. "permissive"), then modules for which the key is not
available and modules that are unsigned are permitted, but the kernel will
be marked as being tainted, and the concerned modules will be marked as
- tainted, shown with the character 'X'.
+ tainted, shown with the character 'E'.
If this is on (ie. "restrictive"), only modules that have a valid
signature that can be verified by a public key in the kernel's possession
This presents a choice of which hash algorithm the installation phase will
sign the modules with:
- CONFIG_SIG_SHA1 "Sign modules with SHA-1"
- CONFIG_SIG_SHA224 "Sign modules with SHA-224"
- CONFIG_SIG_SHA256 "Sign modules with SHA-256"
- CONFIG_SIG_SHA384 "Sign modules with SHA-384"
- CONFIG_SIG_SHA512 "Sign modules with SHA-512"
+ CONFIG_MODULE_SIG_SHA1 "Sign modules with SHA-1"
+ CONFIG_MODULE_SIG_SHA224 "Sign modules with SHA-224"
+ CONFIG_MODULE_SIG_SHA256 "Sign modules with SHA-256"
+ CONFIG_MODULE_SIG_SHA384 "Sign modules with SHA-384"
+ CONFIG_MODULE_SIG_SHA512 "Sign modules with SHA-512"
The algorithm selected here will also be built into the kernel (rather
than being a module) so that modules signed with that algorithm can have