https://bugzilla.suse.com/show_bug.cgi?id=1173158 https://bugzilla.suse.com/show_bug.cgi?id=1173158#c44 --- Comment #44 from Martin Wilck <martin.wilck@suse.com> --- (In reply to Michal Kubeček from comment #42)

Ther preferrable (if viable) solution should still be having the NVidia modules signed, even if with a key that is kept on the system itself (which is, naturally, also questionable from security point of view).

Indeed, I'd say it's not much better than allowing unsigned modules in the first place.

AFAIK the module consists of two parts, "GPL wrapper" and the actual driver which has kernel incompatible license; does it suffice to sign the "GPL wrapper"?

Unless I'm very mistaken, the full module has to be signed. Otherwise circumvention of the lockdown feature would be just too easy. In theory the firmware loading mechanism could be abused to load a binary blob, but the Nvidia driver doesn't do that, and I guess lockdown would prevent this mechanism somehow, too.

Some other out of tree modules, e.g. host modules for VMware Workstation, go this way: if you have secure boot, you need to sign the modules after you build them.

Heck, I really don't understand why this has to be done differently for almost every module. *SUSE has an excellent technology to solve this problem.* It is called "Kernel Module Packages", most of it has been designed and engineered at SUSE, and it has well-established processes behind it (Solid Driver). SUSE is better at this than any other Linux distro I'm aware of. The only issue with KPMs in this context is that we can't use OBS to create *proprietary* KMPs for legal reasons, and can't distribute them on our servers. The obvious solution would be to have some external entity (preferably NVidia itself) set up an OBS instance, enabled for module signing, and a key. They don't have to do the KMP engineering themselves if they lack the ability, we'd find someone to do it for them. They'd just have to throw the spec file at their private OBS instance, build, and create a repo. -- You are receiving this mail because: You are the assignee for the bug.