Martin Wilck changed bug 1173158
What Removed Added
Flags needinfo?  

Comment # 111 on bug 1173158 from 
(In reply to Tripple Moon from comment #106)

> In my case, and most likely most users, it is not just a problem of the
> nvidia drivers but is a common problem for *any* proprietary kernel driver
> the user needs for it's Hardware.
> Fe. i need both the nvidia and broadcom drivers as mentioned in that forum
> thread.

True, NVidia is just an example, albeit by far the most demanded.
Steffen has done a great job packagaging the NVidia driver with all the
necessary magic in place to make this work. Someone (you?) could use that as a
template to create a driver package for the Broadcom driver.

> IMHO the way *ubuntu does it, while working and easy to use, is insecure in
> practice if you want strict compliance with the SB specs.
> Because it drops a key file on the machine that can be accessed by
> fraudulent code.

It has nothing to do with the specs, it's plain insecure. However I gather that
it's at least protected by a password. So it's basically up to the user,
protecting the key with a strong pass phrase would be sufficient for most
environments.

> I would suggest an enhanced mechanism to physically separate the
> kernel-module signing key from the running machine in a
> distribution-agnostic thus general enough way.

If such a mechanism existed, distros would certainly be interested in adopting
it. If you scroll up, you may see that we have been discussing it already
(comment 17 ff.). It requires considerable effort, though, and has complex
legal implications.

> May i suggest to put this key in /KMSK (Short for Kernel Module Signing
> Keys) 
> ...
> It will also enable people to use their own keys that are trusted by their
> hardware.

That's one idea, and it's not totally new. Similar ideas are discussed once in
a while e.g. for storing keys for encrypted storage. IMO it's not safer than
using a strong passphrase. If you store the keys on the medium with empty pass
phrase, it's actually less secure. Other people prefer other means such as
smart cards, the TPM, you name it. It's really hard to make everyone happy.

> May i also suggest to use this layout ... for the shim install?

It won't be heared. This bug is about secure boot and NVidia drivers. Please
stay on topic.

(In reply to Tripple Moon from comment #107)
> Why isn't the dkms package installed by default when installing openSUSE?

Because it's not required for running openSUSE. We try to keep the default
installation lean, and not everyone requires 3rd-party drivers. That said, KMPs
are way superior to anything built with DKMS.

(In reply to Tripple Moon from comment #108)
> Is there any way to revoke this choice, or is it only used by the current
> opensuse-shim?

Yes. "mokutil --list-enrolled" shows currently enrolled certificates in the
MoK. "mokutil --delete" will create a MoK request to delete this key. You have
to reboot and enter mokmanager to confirm.

You are receiving this mail because: