I do not see why the developers have chosen to prompt users to disable secure boot in order to install third-party drivers. While I understand that Canonical is unable to use their key to sign kernel modules generated by DKMS, it would be trivial to generate, sign and import a key for select third-party drivers. For example, it would be easy to package a third-party driver with a post-installation script to issue the following commands:
Using VirtualBox as an example: # openssl req -new -x509 -newkey rsa:2048 -keyout /path/to/keys/VBOX.priv -outform DER -out /path/to/keys/VBOX.der -nodes -days 36500 -subj "/CN=Canonical/" # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /path/to/keys/VBOX.priv /path/to/keys/VBOX.der $(modinfo -n vboxdrv) # mokutil --import /path/to/keys/VBOX.der Then all you would need to do is create a script to update the keys every time there is a kernel upgrade. A script could be created and stored in /etc/kernel/postint.d with the following commands: # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 VBOX.priv VBOX.der $(modinfo -n vboxdrv) # mokutil --import /path/to/keys/VBOX.der Now the user will be able to reboot their machine, enter the password given when prompted by mokutils to supply one, and follow the on-screen instructions to import the key. Now users will be able to install third-party drivers without being forced to disable secure boot. I believe this solution is far better than the current approach to completely disable secure boot when a user tries to install third-party drivers. Not only will something like this be more user-friendly, but it also allows a large number of Ubuntu users to take advantage of a modern security technology without giving up usability. Thank you in advance for taking my feedback into consideration.
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
