On 07/06/2014 07:10 PM, Sergio Belkin wrote:
So, the question is: Is it worth signing "my own" kernel?
Only if you keep your own key on a sufficiently separated machine, otherwise it's equivalent to disabling Secure Boot anyway.
It's also not clear if the Virtualbox kernel modules themselves are capable of bypassing Secure Boot, so the entire effort might be futile for this reason as well.
Note that Microsoft's current policy may not allow unrestricted virtualization (KVM or Virtualbox—does not matter) because that "permits launch of another operating system instance after execution of unauthenticated code"—the wording is rather unclear. If Microsoft clarifies that this is forbidden, a future Fedora update will remove this functionality, so you will be forced to disable Secure Boot at this point anyway if you want to continue to use virtualization.
-- Florian Weimer / Red Hat Product Security -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
