Could this feature work with 3rd party kernel modules, in a UEFI Secure Boot (and thus kernel lockdown) context?
Workstation working group is tracking this problem as https://pagure.io/fedora-workstation/issue/155 If DIGLIM could be used for this use case, I further wonder whether it's possible to have multiple signatures for different portions of a kernel module? The purpose, is so NVIDIA can sign their proprietary binary blob (because it's theirs, no one else's, and therefore they should sign it). Next,either (a) Fedora (b) RPM Fusion (c) the user, can sign the remainder of the kernel module (the parts that are open source anyway). It's an open question who could or should sign NVIDIA's key, to narrowly indicate trust. And also a mechanism for revoking that trust without breaking everything else. -- Chris Murphy _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
