On 4/6/22 16:17, Neal Gompa wrote: > On Wed, Apr 6, 2022 at 4:09 PM Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote: >> >> On 4/6/22 06:43, Neal Gompa wrote: >>> On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster >>> <gary.buhrmaster@xxxxxxxxx> wrote: >>>> >>>> On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour >>>> <demiobenour@xxxxxxxxx> wrote: >>>>> >>>>> On 4/5/22 19:38, Chris Murphy wrote: >>>>>> We either want users with NVIDIA hardware to be inside the Secure Boot >>>>>> fold or we don't. I want them in the fold *despite* the driver that >>>>>> needs signing is proprietary. That's a better user experience across >>>>>> the board, including the security messaging is made consistent. The >>>>>> existing policy serves no good at all and is double talk. If we really >>>>>> care about security more than ideological worry, we'd sign the driver. >>>>> >>>>> I agree with this. Sign the driver. >>>> >>>> Nvidia has their driver signed for their >>>> Windows drivers. That they choose >>>> not to do so for Linux is their right, >>>> even if some wish they did. >>>> >>>> It should be noted that while many >>>> might wish nvidia chose a different >>>> way, that is completely orthogonal >>>> to bios vs uefi. >>> >>> Linux, like Windows, requires the distribution vendor to sign modules >>> for automatic trust. There are a number of complicated issues that >>> make it difficult for us to sign this particular driver, though. >>> Notably, NVIDIA themselves acknowledges that it infringes on the GPL >>> to redistribute built kernel module blobs of nvidia.ko[1], so that means >>> any method of signing it needs to be done locally, which means we >>> *need* the local signing path to be improved. >>> >>> [1]: https://imgur.com/LUCQ3WW >> >> Can we get NVIDIA to make the module build reproducible? If so, we >> could distribute a detached signature. >> > > Outside of RHEL (which they already do this for), it is not > technically feasible to do so. The mainline Linux kernel lacks a kABI > and symbol churn happens constantly. The modules have to be built > completely from source every time, dealing with kernel churn making > the resulting files different every time. Are they different *per-user*, or only *per-kernel-version*? If the latter, one could create signatures for every (driver version, kernel version) combo. -- Sincerely, Demi Marie Obenour (she/her/hers)
Attachment:
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure