On Wed, Apr 6, 2022 at 4:09 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote: > > On 4/6/22 06:43, Neal Gompa wrote: > > On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster > > <gary.buhrmaster@xxxxxxxxx> wrote: > >> > >> On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour > >> <demiobenour@xxxxxxxxx> wrote: > >>> > >>> On 4/5/22 19:38, Chris Murphy wrote: > >>>> We either want users with NVIDIA hardware to be inside the Secure Boot > >>>> fold or we don't. I want them in the fold *despite* the driver that > >>>> needs signing is proprietary. That's a better user experience across > >>>> the board, including the security messaging is made consistent. The > >>>> existing policy serves no good at all and is double talk. If we really > >>>> care about security more than ideological worry, we'd sign the driver. > >>> > >>> I agree with this. Sign the driver. > >> > >> Nvidia has their driver signed for their > >> Windows drivers. That they choose > >> not to do so for Linux is their right, > >> even if some wish they did. > >> > >> It should be noted that while many > >> might wish nvidia chose a different > >> way, that is completely orthogonal > >> to bios vs uefi. > > > > Linux, like Windows, requires the distribution vendor to sign modules > > for automatic trust. There are a number of complicated issues that > > make it difficult for us to sign this particular driver, though. > > Notably, NVIDIA themselves acknowledges that it infringes on the GPL > > to redistribute built kernel module blobs of nvidia.ko[1], so that means > > any method of signing it needs to be done locally, which means we > > *need* the local signing path to be improved. > > > > [1]: https://imgur.com/LUCQ3WW > > Can we get NVIDIA to make the module build reproducible? If so, we > could distribute a detached signature. > Outside of RHEL (which they already do this for), it is not technically feasible to do so. The mainline Linux kernel lacks a kABI and symbol churn happens constantly. The modules have to be built completely from source every time, dealing with kernel churn making the resulting files different every time. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
