On Thu, Mar 09, 2023 at 12:46:14PM +0100, Robert Kaiser wrote:
[inadvertently did not send my reply to the list, so trying to get it in again with this]
Jiri Slaby schrieb:
On 09. 03. 23, 12:32, Robert Kaiser wrote:
Jiri Slaby schrieb:
Last but not least, I do not recommend anyone with out of tree modules to run TW.
So, you mean, anybody who wants to use NVidia graphics fully should not use TW? Doesn't sound like a good solution to me, esp. as nowadays, the proprietary driver mostly works fine even on kernel updates (when a new major version comes out, there sometimes are breakages but those usually get fixed pretty quickly). And with 6.2.1 I "just" needed to disable secureboot in the UEFI - not ideal, but it works for those of us who can just do that.
Did you intentionally remove the next sentence: I mean those users not having good enough knowledge how to fix things. ?
Reading the above, you belong to the category.
That said, could there be two kernels available for choice, one with lockdown, one without, and for TW the one without would be default (while on SLE or even Leap or it successor the locked down one would be default)?
No, as per Microsoft requirements.
Hrm, that's a bummer. Being able to chose if you lock down your system or not would IMHO be great but if they don't allow that user choice, that's really sad.
Actually, they do. It just must not be loaded automatically. Thet is you have to sign the kernel with a key that is not trusted by default by shim, enroll that key, reboot to confirm the key enrollment, and boot your gaping-seucurity-hole kernel. The additional technical problem is that the build service has only one key per project, and then either you get locked-down kernels that boot automagically, or you need to enroll openSUSE key before you can boot the installation medium. Thanks Michal