On 6/12/23 05:12, Stefan Dirsch wrote:
The key for the kernel is always the same, so enrolled once in MOK. (Once
every time you install a kernel from a different project.)
But nvidia is different, right? The key differs on every update. Or not? Exactly. With each nvidia driver *and* kernel update we generate a new key/certificate. Unfortunately we can't keep the SB key on the disk for security reasons.
I don't use nvidia, but doesn't that mean that the MOK is going to end up with lots of keys for older nvidia drivers which are no longer even installed ? Could a user run into some limit on the number of keys installed ? Considering the number of updates and number of new kernels we see in TW, it would seem like a mess that will need to cleaned up at some point. Why does it always need a new key, couldn't you just generate once and reuse whenever the nvidia driver is updated ? That's what I have been doing with signing the vmware modules. Couldn't you use the same suse key that signs other stuff since the drivers are being provided by the distro ? -- Regards, Joe