On Wed, Jun 19, 2024 at 11:33 AM Vitaly Zaitsev via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 19/06/2024 17:49, Daniel P. Berrangé wrote:
> This allows
> any privileged process to sign any future kmods, from any source.
Yes. That's why it is preferable to ship built and signed in Koji kmod
packages, but nobody want to do this: neither Fedora nor RPM Fusion.
Without a signature, the kernel module will not be loaded, so we have
only two options left:
1. Ask end users to disable UEFI Secure boot completely.
2. Use kmodgenca with akmods.
The second option is better, IMO.
While it does *feel* better, both options effectively remove any UEFI Secure boot protections.
Unless the private key is off-system, anything will be able to be loaded without much fuss.
Jonathan Steffan
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue