How come Fedora ignores `module.sig_enforce` kernel parameter if SB is enabled but Arch does not?

Question

I recently secure-booted Arch and Fedora on my RTX3050 equipped laptop.

As is the common knowledge, I had to sign my Nvidia modules on Fedora for the kernel to load them. However, I find that same is not the case with Arch. Arch loads the Nvidia modules even if they are not signed — provided, of course, that the kernel and the GRUB are signed.

Upon researching, I came across this post on the ArchWiki mentioning the module.sig_enforce=1 kernel parameter to force signature verification. However, table 3 in this entry of Fedora docs, mentions that the said kernel parameter doesn't make any difference when SecureBoot is enabled.

The kernel docs mention CONFIG_MODULE_SIG_FORCE option in the kernel configuration. So, I decided to take a look at Fedora's and Arch's configs.

And sure enough, Arch doesn't have the option set. But, so doesn't Fedora.

So why this difference in handling of the modules?

EDIT: I found CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT option that is present in Fedora's config but not in Arch's, after a chat in Fedora's Matrix Room. But, I cannot find any documentation related to this at docs.kernel.org; only a reference here. Is there a different site for documenting all kernel config options?

Answer 1

As you discovered, this is enforced by CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT. That setting is supported by a kernel patch which hasn’t been merged upstream; you’ll find it in Fedora and RHEL kernels but not in Arch.

Since it hasn’t been merged upstream, you won’t find it in the upstream kernel documentation, or on any other site which describes the upstream kernel.