Comment # 23 on bug 1173158 from
(In reply to Martin Wilck from comment #17)
> It's indeed not easy. We could use a key stored in a standard location on
> the user's system. However, at the very least the build procedure should
> allow to enter the pass phrase for the key in a secure manner. Otherwise the
> secret key would need to be stored unencrypted on the target system, which
> would forfeit the use of secure boot, or a locked-down kernel, almost
> entirely.

Right now we are loading unsigned modules so there is not much of a difference
to that. In the worst case if storing the private key really is a concern, a
new one could be created for each rebuild of the ko and the private key deleted
afterwards. Sure, that means enrolling the key on reboot then. If one really
decides to play that secure boot game it's a matter of picking your poison
basically :-)

You are receiving this mail because: