On Thu, Feb 27, 2020 at 5:54 AM Justin Forbes <jforbes@xxxxxxxxxx> wrote: > > No, nothing has changed here, loading a proprietary module has marked the kernel as tainted for a very long time. If you went back to 2.6 kernels, you would see a similar message about the kernel being tainted. The message has expanded a bit over the years as we check for things like module signatures, etc, but the end result is the same the taint flag is P for proprietary module. Gotcha. > Unless the user has gone to the trouble of self signing a proprietary module, and adding that key to the keyring, UEFI secure boot had to be disabled to even load the module. Module signatures are used and checked outside of secure boot as well. Still, even if they do sign the module and add that key to enable the module to work with secure boot, the kernel will be tainted P. Is it technically possible for the Fedora signing key to be used to sign a 3rd party key, thereby allowing the loading of 3rd party modules signed with that 3rd party key? Policy wise, is it likely that could be done? e.g. trusting the RPM Fusion Nvidia and Broadcom kernel modules? On the one hand Fedora is supporting UEFI Secure Boot out of the box, ostensibly we want users to leave it enabled. But because self-signing modules is tedious, possibly quite a lot of users are just disabling UEFI Secure Boot. I'm not sure if it's possible to make this work out of the box for users, but it would be nice to not just make it a documentation problem. -- Chris Murphy _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
