https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c42 Michal Kubeček <mkubecek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com --- Comment #42 from Michal Kubeček <mkubecek@suse.com> --- One thing we should keep in mind is that secure boot, i.e. making sure only properly signed kernel is loaded, makes very little sense if we then allow loading any strange module into it. It could be even considered a security vulnerability. So rather than asking for "less lockdown" (for everyone), I would suggest to look for a (secure enough) way to opt out from strict checking that people who want to run NVidia modules on systems with secure boot could do. One obvious idea is a command line parameter - but that is also obviously wrong. Do we have some option to pass parameters "from outside"? Could e.g. EFI variables be used for this? Adding Joey Lee who did the lockdown backport and knows way more about how it works. Ther preferrable (if viable) solution should still be having the NVidia modules signed, even if with a key that is kept on the system itself (which is, naturally, also questionable from security point of view). AFAIK the module consists of two parts, "GPL wrapper" and the actual driver which has kernel incompatible license; does it suffice to sign the "GPL wrapper"? Some other out of tree modules, e.g. host modules for VMware Workstation, go this way: if you have secure boot, you need to sign the modules after you build them. -- You are receiving this mail because: You are the assignee for the bug.