[kernel-bugs] [Bug 1173158] CONFIG_MODULE_SIG=y
https://bugzilla.suse.com/show_bug.cgi?id=1173158
https://bugzilla.suse.com/show_bug.cgi?id=1173158#c59
--- Comment #59 from Joey Lee
While I think the KMP solution is The Right Thing (TM), it is obviously not viable short-term. Here's an idea what we can do quickly:
- create a new kernel flavor, call it "nolockdown" or whatever, that loosens lockdown features enough to load NVidia and other proprietary drivers. - sign this flavor with a different key, which is not allowed on SB systems by default. People who want to use that key would need to set it up using mokutil. that would be a one-time measure, as opposed to having to provide keys with every driver rebuild.
Yes, I think this is the key point. User should enroll the nolockdown kernel key by them self because shim will not embeds this "nolockdown kernel key". Microsoft will not sign that shim.
- that kernel package could be accompanied by an EULA file explaining why it exists and what the security implications are.
Advantages:
* It allows leaving the secure boot setting on in the BIOS (might be mandated by another OS on the system, or other policies). * It satisfies the security requirement that enabling it requires an explicit action of the user in the UEFI environment ("physical presence" - well). * It's far better than adding a "nolockdown" kernel command line parameter from a security PoV. * Security-wise, people using this kernel would be as "good" as Leap 15.1 users, possibly a little better off. * It's less hassle for users than having to create and deploy keys themselved, possibly repeatedly. * It should be pretty quick to implement, no re-engineering of NVidia drivers needed.
-- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com