On Wed, Apr 6, 2022 at 6:31 PM Chris Murphy <li...@colorremedies.com> wrote:
>
> On Wed, Apr 6, 2022 at 10:23 AM Justin Forbes <jmfor...@linuxtx.org> wrote:
>
> > > Apple and Microsoft signing NVIDIA's proprietary driver doesn't at all
> > > indicate Apple and Microsoft trust the driver itself. It is trusting
> > > the providence of the blob, in order to achieve an overall safer
> > > ecosystem for their users.
> > >
> > > We either want users with NVIDIA hardware to be inside the Secure Boot
> > > fold or we don't. I want them in the fold *despite* the driver that
> > > needs signing is proprietary. That's a better user experience across
> > > the board, including the security messaging is made consistent. The
> > > existing policy serves no good at all and is double talk. If we really
> > > care about security more than ideological worry, we'd sign the driver.
> >
> > At the very least, it would require that Fedora have a separate key
> > that is trusted and not the same one used for shim/grub/kernel.
>
> If Fedora is going to sign it, rather than improving the local signing
> experience, absolutely it should be signed with a separate key. The
> design should assume a revocation is going to happen at some point.
>
> > We
> > certainly aren't proposing that we use the standard Fedora keys to
> > sign a binary blob that runs in kernel space from a company who was
> > most recently hacked last month?
>
> No way.
>
> I don't think there's a mechanism for it, but I'd prefer Fedora sign
> the 3rd party's key rather than their binary. Maybe it's a small
> distinction at the end of the day.


We have not set up an infrastructure for it, but in all honesty, there
is no technical reason that any 3rd party repository building and
packaging the driver could not have done such a thing a couple of
years ago.  The mechanism has been there, pesign can sign modules.
Now, asking Fedora to trust that key is a different issue, but users
have to reboot after installing the nvidia drivers anyway, so clicking
to accept the key isn't too much of a hurdle to jump through at that
point.

Justin
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to