On Fri, May 29, 2015 at 11:57 AM, Sérgio Basto <ser...@serjux.com> wrote: > On Sex, 2015-05-29 at 09:28 -0400, Josh Boyer wrote: >> On Fri, May 29, 2015 at 9:19 AM, Sérgio Basto <ser...@serjux.com> wrote: >> > On Sex, 2015-05-29 at 08:54 -0400, Josh Boyer wrote: >> >> On Fri, May 29, 2015 at 8:40 AM, David Sommerseth <dav...@redhat.com> >> >> wrote: >> >> > On 28/05/15 17:45, Josh Boyer wrote: >> >> >> On Thu, May 28, 2015 at 11:26 AM, David Sommerseth <dav...@redhat.com> >> >> >> wrote: >> >> >>> >> >> >>> Hi, >> >> >>> >> >> >>> I've started poking into packaging the mhvtl project for Fedora and >> >> >>> EPEL. This package also contains a kernel module, which normally >> >> >>> works >> >> >>> fine - until you hit Secure Boot. >> >> >>> >> >> >>> So I was wondering how to handle this the best way. AFAIK, there are >> >> >>> currently no plans to get the mhvtl.ko kernel module into the upstream >> >> >>> kernel. >> >> >> >> >> >> Where can I read more information on this project, and why that might >> >> >> be? >> >> > >> >> > Duh! I'm so into this I forget to add better project info ... >> >> > >> >> > <https://sites.google.com/site/linuxvtl2/> >> >> >> >> Sorry, I should have been more explicit in my question. I found the >> >> site by googling of course, but I was curious if you had pointers to >> >> reasoning/discussion around why the kernel module won't be pushed >> >> upstream. >> >> >> >> >> It is worth noting that Fedora does not allow packages other than the >> >> >> kernel to ship kernel modules. >> >> > >> >> > Oh, I was not aware of that. But compiling a kernel module "on-the-fly" >> >> > is acceptable for Fedora? >> >> >> >> Kinda. Packages that do that exist. We know they exist. We assume >> >> the people maintaining them are going to be polite and deal with >> >> issues. >> > >> > This is a good subject for RPMFusion and all his kmods ... , but I >> > really don't have time to think about it . >> > >> > In Ask we got examples of kmods signed for VirtualBox under Sercure >> > Boot : >> > >> > https://ask.fedoraproject.org/en/question/68285/best-way-to-install-virtualbox/?answer=68413#post-id-68413 >> > >> > https://ask.fedoraproject.org/en/question/34470/virtual-box-on-fedora-19-fails-to-start-a-vm/?answer=59222#post-id-59222 >> > >> > Seems possible ship kernel modules on the fly since fedora package >> > kernel also does it (it seems), I read that somewhere. >> >> Er... no we don't. The kernel package provides all it's modules >> already built. It doesn't build any on the fly after it is installed. >> I'm not sure where you read that. > > Sorry, I meant, the kernel package sign on the fly (the kernel > modules) ? , that what we need, we need build a package and sign kernel > modules on that build .
Ah, yes. The kernel modules are signed using an auto-generated cert during the kernel build. However, that doesn't help third party modules at all. The auto-generated cert is discarded when the kernel package build completes and isn't available for use outside of the koji buildroot for that specific kernel build. So at the time the kernel package is installed, the modules are already signed but the cert that was used is long since deleted. If one were to install kernel-devel and rebuild a module, it would auto-generate a new cert and use that to sign, but the installed kernel doesn't trust that cert. That is why David's plan, while complicated, is necessary. josh -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct