Hi, On Fri, Mar 02, 2018 at 03:44:20PM +0100, Jiri Slaby wrote:
Hi,
we currently sign the kernel in openSUSE but we don't sign modules. I am not going to open the questions for released/semi-released products like openSUSE 42.3 or openSUSE 15. But I see no reason why we shouldn't sign modules in Tumbleweed and in releases forked from TW in the future.
The reasons are at least: * to allow for more security (attackers have harder times to replace our modules with theirs) * offer what SLE offers. We have modules signing there since SLE11 (i.e. 2012)! * be competitive with other distros; ubuntu and fedora both sign
So my plan is to enable modules signing in the near future, perhaps even before merging 4.16 and push it out to the wild. There may be some nits to solve, but given we are flying on SLE for years already, it should be no hard work.
As the next step, I would love to have kernels in Kernel:* signed by SUSE keys too. The current state forces people who test them (me including) to have secure boot disabled. That is not nice at all.
The NVIDIA KMP users might not like you for this though... Or we need to think about something for them. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org