On 19/06/2024 17:49, Daniel P. Berrangé wrote:
This allows any privileged process to sign any future kmods, from any source.
Yes. That's why it is preferable to ship built and signed in Koji kmod packages, but nobody want to do this: neither Fedora nor RPM Fusion.
Without a signature, the kernel module will not be loaded, so we have only two options left:
1. Ask end users to disable UEFI Secure boot completely. 2. Use kmodgenca with akmods. The second option is better, IMO. -- Sincerely, Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx) -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
