On Wed, Jun 14, 2023 at 09:31:24AM -0400, Joe Salmeri wrote:
On 6/13/23 19:09, Stefan Dirsch wrote:
The keys are uninstalled from MOK when uninstalling the older driver. Well, of course you can ignore Mokmanager after reboot ...
Considering the number of updates and number of new kernels we see in TW, it would seem like a mess that will need to cleaned up at some point. Any suggestions to improve it?
Since the keys are removed when the older driver is installed that should address the situation I raised.
Why does it always need a new key, couldn't you just generate once and reuse whenever the nvidia driver is updated ?
That's what I have been doing with signing the vmware modules. On your system you can do this. Your risk. SUSE can't do this, i.e. keeping the generated private key on the harddisk.
I see your point, however, when you setup Apache to use SSL for a website, you have to have both the public and private keys on disk.
I guess the difference is the fact that in this case if the Nvidia private key was also on disk, then a bad actor could use it and the public key which is also on disk to sign a malicious code module.
Is that what you meant by "my risk" or are there other reasons I had not considered?
Yes, that's basically it, and that's what other distributions seem to be doing with DKMS. Thanks Michal