On Wed, Jun 14, 2023 at 12:53:07PM +0200, Stefan Dirsch wrote:
On Wed, Jun 14, 2023 at 05:40:38PM +0800, joeyli wrote:
The obvious question: what do other distros do?
I was checked shim signature and kernel embedded keys in Fedora 37, CentOS 9 and Ubuntu 22.10. I have put the result on bsc#1198101.
The point is: I didn't found KMP from Fedora of Ubuntu online update. Maybe I missed. Or maybe that they do not provide online update of KMP, especially NVIDIA driver, so they do not worry about the local-built with one time signkey problem.
RH/CentOS use DKMS for building the driver. Ubuntu probably also uses DKMS or something comparable, so they also build it on-the-fly and I assume they need to sign the modules as well for SB.
With a fixed key that is generated and enrolled the first time DKMS isused, AFAICT. Thanks Michal