On Wed, Jul 1, 2020 at 5:51 PM Neal Gompa <ngompa13(a)gmail.com> wrote:
The core of it is that nobody cares. It comes up at least once or
twice every development cycle in the Workstation Working Group
meetings, but there's nothing we can do. Sometimes I'll get bullshit
answers from people. Sometimes they'll just say stuff about security.
Sometimes they'll say something about it being NVIDIA's problem.
Is there a bug filed for this that I can follow? I didn't see one
from a quick search.
Personally, I use my own Secure Boot keys and sign the modules from
akmods with that. It works fine with the cert in db since that gets
it loaded into the platform keyring. I'd like to see the
extract-vmlinux and/or insert-sys-cert kernel programs learn how to
repack vmlinux back into an existing vmlinuz so that
CONFIG_SYSTEM_EXTRA_CERTIFICATE can be useful with UEFI, and I could
have a separate module signing key and Secure Boot key.