Re: F37 Change: Deprecate Legacy BIOS (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 4/6/22 16:17, Neal Gompa wrote:
> On Wed, Apr 6, 2022 at 4:09 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote:
>>
>> On 4/6/22 06:43, Neal Gompa wrote:
>>> On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster
>>> <gary.buhrmaster@xxxxxxxxx> wrote:
>>>>
>>>> On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour
>>>> <demiobenour@xxxxxxxxx> wrote:
>>>>>
>>>>> On 4/5/22 19:38, Chris Murphy wrote:
>>>>>> We either want users with NVIDIA hardware to be inside the Secure Boot
>>>>>> fold or we don't. I want them in the fold *despite* the driver that
>>>>>> needs signing is proprietary. That's a better user experience across
>>>>>> the board, including the security messaging is made consistent. The
>>>>>> existing policy serves no good at all and is double talk. If we really
>>>>>> care about security more than ideological worry, we'd sign the driver.
>>>>>
>>>>> I agree with this.  Sign the driver.
>>>>
>>>> Nvidia has their driver signed for their
>>>> Windows drivers.  That they choose
>>>> not to do so for Linux is their right,
>>>> even if some wish they did.
>>>>
>>>> It should be noted that while many
>>>> might wish nvidia chose a different
>>>> way, that is completely orthogonal
>>>> to bios vs uefi.
>>>
>>> Linux, like Windows, requires the distribution vendor to sign modules
>>> for automatic trust. There are a number of complicated issues that
>>> make it difficult for us to sign this particular driver, though.
>>> Notably, NVIDIA themselves acknowledges that it infringes on the GPL
>>> to redistribute built kernel module blobs of nvidia.ko[1], so that means
>>> any method of signing it needs to be done locally, which means we
>>> *need* the local signing path to be improved.
>>>
>>> [1]: https://imgur.com/LUCQ3WW
>>
>> Can we get NVIDIA to make the module build reproducible?  If so, we
>> could distribute a detached signature.
>>
> 
> Outside of RHEL (which they already do this for), it is not
> technically feasible to do so. The mainline Linux kernel lacks a kABI
> and symbol churn happens constantly. The modules have to be built
> completely from source every time, dealing with kernel churn making
> the resulting files different every time.

Are they different *per-user*, or only *per-kernel-version*?

If the latter, one could create signatures for every (driver version,
kernel version) combo.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux