On Fri, 2 Mar 2018 16:08:20 +0100 Richard Brown <RBrownCCB@opensuse.org> wrote:
On 2 March 2018 at 15:44, Jiri Slaby <jslaby@suse.cz> wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
On the other hand, for people who test on Leap we should probably preserve an unsigned flavor or provide a separate repo built against Leap. Thanks Michal -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org