Re: F37 Change: Deprecate Legacy BIOS (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2022-04-06 at 21:03 -0500, Justin Forbes wrote:
> On Wed, Apr 6, 2022 at 6:31 PM Chris Murphy <lists@xxxxxxxxxxxxxxxxx> wrote:
> > 
> > On Wed, Apr 6, 2022 at 10:23 AM Justin Forbes <jmforbes@xxxxxxxxxxx> wrote:
> > 
> > > > Apple and Microsoft signing NVIDIA's proprietary driver doesn't at all
> > > > indicate Apple and Microsoft trust the driver itself. It is trusting
> > > > the providence of the blob, in order to achieve an overall safer
> > > > ecosystem for their users.
> > > > 
> > > > We either want users with NVIDIA hardware to be inside the Secure Boot
> > > > fold or we don't. I want them in the fold *despite* the driver that
> > > > needs signing is proprietary. That's a better user experience across
> > > > the board, including the security messaging is made consistent. The
> > > > existing policy serves no good at all and is double talk. If we really
> > > > care about security more than ideological worry, we'd sign the driver.
> > > 
> > > At the very least, it would require that Fedora have a separate key
> > > that is trusted and not the same one used for shim/grub/kernel.
> > 
> > If Fedora is going to sign it, rather than improving the local signing
> > experience, absolutely it should be signed with a separate key. The
> > design should assume a revocation is going to happen at some point.
> > 
> > > We
> > > certainly aren't proposing that we use the standard Fedora keys to
> > > sign a binary blob that runs in kernel space from a company who was
> > > most recently hacked last month?
> > 
> > No way.
> > 
> > I don't think there's a mechanism for it, but I'd prefer Fedora sign
> > the 3rd party's key rather than their binary. Maybe it's a small
> > distinction at the end of the day.
> 
> 
> We have not set up an infrastructure for it, but in all honesty, there
> is no technical reason that any 3rd party repository building and
> packaging the driver could not have done such a thing a couple of
> years ago.  The mechanism has been there, pesign can sign modules.
> Now, asking Fedora to trust that key is a different issue, but users
> have to reboot after installing the nvidia drivers anyway, so clicking
> to accept the key isn't too much of a hurdle to jump through at that
> point.

There is potentially an even easier solution.
Ideally dkms (or whatever) could simply generate a key, sign the module
and manage to get the public key in the right place so that the module
can be verified. But this is hard work I guess, and nobody cares about
Secure Boot enough to do it?

Simo.

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc



_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux