On Thu, Apr 7, 2022 at 9:27 AM Chris Adams <li...@cmadams.net> wrote: > > Once upon a time, Simo Sorce <s...@redhat.com> said: > > Ideally dkms (or whatever) could simply generate a key, sign the module > > and manage to get the public key in the right place so that the module > > can be verified. > > That's not possible, is it? I assume the user has to interact with the > firmware at some point to install a new key. Otherwise, the whole thing > would be a waste of time. >
Yes. DKMS can be told to sign with a key, but the key needs to exist first and be set up in firmware. Automating it requires moving it out of firmware scope and putting it exclusively at the operating system level. This is what Windows has for managing trust for kernel drivers. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
