On Tue, Jun 13, 2023 at 04:19:32PM +0200, Takashi Iwai wrote:
On Tue, 13 Jun 2023 16:05:37 +0200, Michal Suchánek wrote:
On Tue, Jun 13, 2023 at 03:18:16PM +0200, Takashi Iwai wrote:
On Tue, 13 Jun 2023 15:03:03 +0200, Michal Suchánek wrote:
OTOH, it'd be certainly safer to deploy MOK no matter what value sb-state option has for avoiding the possible cases. So, it doesn't sound too bad to use /etc/sysconfig/bootlader:SECURE_BOOT as a checker instead of sb-state option -- as long as it's well documented.
Or, ideally, have a GUI to tweak this...
The secure boot setting can be changed on the installer summary page and inthe yast bootloader module. I think that's sufficient.
And that's the problem. The YaST bootloader module has no idea about the Nvidia setup.
So, having some check makes things broken if the setup is re-enabled: it's no matter whether --sb-state option check or /etc/sysconfig check. Neither triggers the (re-)deployment of Nvidia cert automagically.
OTOH, forcing MOK thingy at each time you update the kernel and nvidia packages *unconditionally* would be just XXXX (fill your favorite 4 letters). I'd switch to another distro if I would have to do it.
And it's not needed every time for the kernel because the certificate is enrolled only once per project from which you install a kernel, and not at all for the official release project.
Yes, the argument is only about the special use case of Nvidia; unfortunately it has large user base and a sort of "must" item.
The problem is with the NVIDIA modules that are built locally every time with a new ephemeral key that needs to be enrolled on each update.
IF the key was always the same it would need to be enrolled only once but we do not have secure storage for the key.
Right, and that's the sole reason Nvidia driver package uses a one-time key. So we go back to square... :-<
And why does it have to be one time key? That's what upstream recomends but it also recommends to make lockdown independet of secure boot, and next to nobody uses that. From the https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS DKMS documentation it looks like it uses a permanent key. Of course, storing permanent key on disk is somewhat less secure than ephemeral key but besides usability there is also the concern of wearing down the flash storage holding firmware configuration by enrolling new key on every update. Thanks Michal