Module signing in Fedora 18

Jonathan Dieter jdieter at gmail.com
Thu Sep 20 14:29:18 CEST 2012 

On Wed, 2012-09-19 at 15:50 +0200, Nicolas Chauvet wrote:
> 
> Le 19 sept. 2012 08:24, "Jonathan Dieter" <jdieter at gmail.com> a écrit :
> >
> > I've just finished reading http://jwboyer.livejournal.com/44787.html and
> > was wondering what the progress was on making sure RPM Fusion's kernel
> > modules will be able to be installed on a SecureBoot Fedora 18 system.
> >
> > Do we have anyone actively working on this, and, if not, do we have
> > someone who's planning to work on it?
> Hi
> 
> Which module provided by rpmfusion, do you specially expect to be
> signed for secure boot ?

Well, for me personally, it would be kmod-staging, but I suspect we'll
have more users interested in having the binary NVidia or Catalyst
drivers signed.

As I understand it, new computers with Windows 8 preinstalled will have
SecureBoot enabled by default, and Fedora 18 will be able to boot on
these computers without any change in BIOS settings.  The problem is
that, if I've got it right, the kernel will refuse to load unsigned
modules if SecureBoot is on.

So, as I see it, we will need to either:
     A. Tell users to turn off SecureBoot if they want to use any kmods
     B. Create an RPM Fusion key, sign kmods with it, and work out some
        method for getting the public key on the system, preferably
        without requiring user intervention, though that last bit might
        be a pipe dream.

If we're going to do (A), I think we need to document it very clearly.
Something like "Kmods will not work unless SecureBoot is disabled.  To
disable SecureBoot, please consult your BIOS documentation."

If we're going to do (B), I think now would be a good time to start
investigating how it will work.  According to the link in my original
email, the Fedora kernel developers have been stabilized the kernel
module signing interface specifically so "third party repositories" can
start working out how to sign out-of-tree modules.

I'd be happy to start looking into (B) if nobody else is working on it
and if this is the road RPM Fusion wants to go down.  I'm not a kernel
developer, so I'm probably not the best person for the task, but I'd
rather see if I can come up with something rather than having us do (A)
because of inertia.

If I've missed something in all this, please feel free to correct me,
and if there are other alternatives that I've missed, please share them.

Jonathan

More information about the rpmfusion-developers mailing list