On Thu, 2020-07-09 at 23:10 +0300, nickysn@xxxxxxxxx wrote: > On Thu, 2020-07-09 at 11:17 -0700, stan via devel wrote: > > On Thu, 09 Jul 2020 18:07:39 +0300 > > nickysn@xxxxxxxxx wrote: > > > > > Yes, that's why "secure boot" should only be an option and the user > > > must have the option to turn it off. Otherwise, it wouldn't be > > > possible to do any kernel development on that computer. > > > > For my edification. I build custom kernels, and sign them using > > pesign with my own key that I generated locally, and put in the EFI > > key > > database. I can then boot the custom kernel in secure mode. Couldn't > > I > > also sign modules if I ever generated them with that same key? > > > > That is, isn't this only an issue if the person doing the kernel > > development hasn't generated their own key, and isn't signing their > > kernels locally? > > To be honest, I don't know. Do all UEFI secure boot implementations > allow you to add your own keys to the list of trusted keys? In theory they should, but the interface may be broken or overly complicated. That said you can always disable secure boot on x86_64 ... not so on ARM based hw. Simo. -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
