On Tue, Mar 17, 2020 at 1:11 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote: > On Thu, Feb 27, 2020 at 5:54 AM Justin Forbes <jforbes@xxxxxxxxxx> wrote: > > > > No, nothing has changed here, loading a proprietary module has marked > the kernel as tainted for a very long time. If you went back to 2.6 > kernels, you would see a similar message about the kernel being tainted. > The message has expanded a bit over the years as we check for things like > module signatures, etc, but the end result is the same the taint flag is P > for proprietary module. > > Gotcha. > > > Unless the user has gone to the trouble of self signing a proprietary > module, and adding that key to the keyring, UEFI secure boot had to be > disabled to even load the module. Module signatures are used and checked > outside of secure boot as well. Still, even if they do sign the module and > add that key to enable the module to work with secure boot, the kernel will > be tainted P. > > Is it technically possible for the Fedora signing key to be used to > sign a 3rd party key, thereby allowing the loading of 3rd party > modules signed with that 3rd party key? > > Policy wise, is it likely that could be done? e.g. trusting the RPM > Fusion Nvidia and Broadcom kernel modules? > > This is something that will *not* be done or considered. If those third party repositories wanted to, they could set up their own key and signing process, and simply ask the users to import their key with detailed instructions, but it has to be a conscious effort on the part of the user to extend that trust. On the one hand Fedora is supporting UEFI Secure Boot out of the box, > ostensibly we want users to leave it enabled. But because self-signing > modules is tedious, possibly quite a lot of users are just disabling > UEFI Secure Boot. I'm not sure if it's possible to make this work out > of the box for users, but it would be nice to not just make it a > documentation problem. > The act of generating the key and getting it into the key ring is a bit tedious, but this is something that you only need to do once. It should be tedious, it is not a step to be taken lightly. The act of self signing a module with that key is not difficult at all. It can certainly be automated if you feel comfortable with the level of security that such automation would provide. _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx