On Thu, Jan 14, 2016 at 2:00 PM, Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote: > On Thu, Jan 14, 2016 at 1:54 PM, Neal Gompa <ngompa13@xxxxxxxxx> wrote: >> On Thu, Jan 14, 2016 at 1:49 PM, Samuel Sieb <samuel@xxxxxxxx> wrote: >>> On 01/14/2016 07:56 AM, Neal Gompa wrote: >>>> >>>> Aside from the DNF issue, is there anything else I'm missing in >>>> relation to kmods in Fedora? >>>> >>> If you have secure boot, you have to go through the process to sign the >>> kernel modules you build and register the key with the boot system. >> >> That would be something our build system (Koji, etc.) would handle if >> we allowed them again, right? After all, I believe Koji handles our >> kernel signing, too. > > No, it would not. > > The kernel modules are signed with an ephemeral cert as part of the > kernel build process. They are not signed with the Fedora cert used > for Secure Boot. The vmlinuz and grub2 binaries are signed with the > Secure Boot cert. The tool that does the signing only works with > PECoff binaries and the kernel modules are not PECoff. > > So no, the build system does not support signing modules outside of > the normal kernel build. > So that would mean in order to make kernel modules build to work outside of the kernel build process, we would need a way to add more certs that would be accepted by the kernel and grub, right? I assume you'd want to do the ephemeral cert process for kmod builds too? -- 真実はいつも一つ!/ Always, there's only one truth! -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
