Module signing in Fedora 18

Nicolas Chauvet kwizart at gmail.com
Mon Sep 24 23:52:52 CEST 2012 

2012/9/20 Jonathan Dieter <jdieter at gmail.com>:
> On Wed, 2012-09-19 at 15:50 +0200, Nicolas Chauvet wrote:
>>
>> Le 19 sept. 2012 08:24, "Jonathan Dieter" <jdieter at gmail.com> a écrit :
>> >
>> > I've just finished reading http://jwboyer.livejournal.com/44787.html and
>> > was wondering what the progress was on making sure RPM Fusion's kernel
>> > modules will be able to be installed on a SecureBoot Fedora 18 system.
>> >
>> > Do we have anyone actively working on this, and, if not, do we have
>> > someone who's planning to work on it?
>> Hi
>>
>> Which module provided by rpmfusion, do you specially expect to be
>> signed for secure boot ?
>
> Well, for me personally, it would be kmod-staging, but I suspect we'll
> have more users interested in having the binary NVidia or Catalyst
> drivers signed.

Well... when asking for this question I had in mind that the nvidia
case was out of the topic because of the lack of KMS support, but
since modesetting seems to be done in kernel land that might be
pointless. (unless PCI regions are also accessed from the Xorg
userland).
http://lwn.net/Articles/515410/

Then I don't know what about ndiswrapper case ? Maybe it worth to have
the windows hardware signature to be verified in such case. (specially
for future hardware, when F18 will be EOL. But it's more a corner
case, ndiswrapper shoudn't be very used that much nowadays)

So a quick answear: the secure boot feature for RPM Fusion really is a
"must have". But  I'd welcome more people to help with this tasks.
Specially:

- Sorting out the infrastructures needs (sigul, what's on the builder ?)
- kmodtool modification (signature can be opt-in/opt-out ?).
- wiki for users / developers (using their own key ?)
- Packaging of the root CA used to sign the module (Can cacert.org be
a root CA for secure boot ?)

I've started a wiki here: http://rpmfusion.org/Howto/Secure%20Boot for users
and for infra: http://rpmfusion.org/Infrastructure/Secure%20Boot%20Infra
If someone wants to help out.

Thx


Nicolas (kwizart)

More information about the rpmfusion-developers mailing list