http://bugzilla.opensuse.org/show_bug.cgi?id=1173158
http://bugzilla.opensuse.org/show_bug.cgi?id=1173158#c106
Tripple Moon changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |suse@trimoon.cloudns.eu
--- Comment #106 from Tripple Moon ---
I recently switched (still trying) to openSUSE, see
https://forums.opensuse.org/showthread.php/542653-Fresh-install-on-ASUS-X99-...
And i am installing with SecureBoot *enabled* for both Leap 15.2 and
Tumbleweed.
I am also unable to locate '/var/lib/nvidia-pubkeys'.
Furthermore even while using Kubuntu i never got the MokManager screens, in
that distro version i had to manually add the kernel-module signing key's
certificate to the MokList using KeyTool from efitools after having found and
copied the cert to a place accessible from the tool. (eg: the ESP)
In my case, and most likely most users, it is not just a problem of the nvidia
drivers but is a common problem for *any* proprietary kernel driver the user
needs for it's Hardware.
Fe. i need both the nvidia and broadcom drivers as mentioned in that forum
thread.
I understand the difficult choice of using SB or not irt kernel-modules, but it
is *needed* for proper hardware functionality when you want SB enabled.
IMHO the way *ubuntu does it, while working and easy to use, is insecure in
practice if you want strict compliance with the SB specs.
Because it drops a key file on the machine that can be accessed by fraudulent
code.
I would suggest an enhanced mechanism to physically separate the kernel-module
signing key from the running machine in a distribution-agnostic thus general
enough way.
May i suggest to put this key in /KMSK (Short for Kernel Module Signing Keys)
which needs to be manually mounted by the physical-user at moment that it is
actually needed, and auto-unmounted afterwards with a small but enough delay to
allow multiple module signing.
That mount point can then be mounted from an USB-Stick, NFS, etc which is a
choice made by that physical-user and thus in most cases an external medium.
I say in most cases, because one could also use a shadow-mount to point it to a
local directory which is on the same machine (encrypted or not) and can be used
for VM testing etc...
It will also enable people to use their own keys that are trusted by their
hardware.
This key can be automatically created on installation/request if the user has
none yet.
And final note:
May i also suggest to use this layout
(https://forums.opensuse.org/showthread.php/542653-Fresh-install-on-ASUS-X99-...)
for the shim install?
It will ease testing of different versions of openSUSE (any distro in fact) in
the long run without any conflicts wrt UEFI booting.
We should all, IMHO, drop grub and move on to loaders like Systemd-boot and the
like which are meant for UEFI booting and easier to configure...
--
You are receiving this mail because:
You are the assignee for the bug.