On Thu, Jan 14, 2016 at 2:09 PM, Neal Gompa <ngompa13@xxxxxxxxx> wrote: > On Thu, Jan 14, 2016 at 2:00 PM, Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> wrote: >> On Thu, Jan 14, 2016 at 1:54 PM, Neal Gompa <ngompa13@xxxxxxxxx> wrote: >>> On Thu, Jan 14, 2016 at 1:49 PM, Samuel Sieb <samuel@xxxxxxxx> wrote: >>>> On 01/14/2016 07:56 AM, Neal Gompa wrote: >>>>> >>>>> Aside from the DNF issue, is there anything else I'm missing in >>>>> relation to kmods in Fedora? >>>>> >>>> If you have secure boot, you have to go through the process to sign the >>>> kernel modules you build and register the key with the boot system. >>> >>> That would be something our build system (Koji, etc.) would handle if >>> we allowed them again, right? After all, I believe Koji handles our >>> kernel signing, too. >> >> No, it would not. >> >> The kernel modules are signed with an ephemeral cert as part of the >> kernel build process. They are not signed with the Fedora cert used >> for Secure Boot. The vmlinuz and grub2 binaries are signed with the >> Secure Boot cert. The tool that does the signing only works with >> PECoff binaries and the kernel modules are not PECoff. >> >> So no, the build system does not support signing modules outside of >> the normal kernel build. >> > > So that would mean in order to make kernel modules build to work > outside of the kernel build process, we would need a way to add more > certs that would be accepted by the kernel and grub, right? I assume > you'd want to do the ephemeral cert process for kmod builds too? If you are creating a cert to sign the out-of-tree modules and expect it to be accepted by the kernel, it cannot be ephemeral. A user would need someway to import it into their kernel or have it passed from grub. The only way to do so is to have it embedded in shim or the kernel during the build of those binaries. I do not foresee Fedora creating yet another persistent key to sign things with, which means you would need another tool that can use the existing key in the kernel builders. Except there are only 4 people that can submit builds to those builders for security purposes (which is why scratch builds are unsigned), and I don't see any of the existing maintainers signing up to submit kmod builds. So no, our buildsystem cannot sign kmods. josh -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
