On Thu, 2020-07-09 at 11:17 -0700, stan via devel wrote:
On Thu, 09 Jul 2020 18:07:39 +0300
nickysn(a)gmail.com wrote:
> Yes, that's why "secure boot" should only be an option and the user
> must have the option to turn it off. Otherwise, it wouldn't be
> possible to do any kernel development on that computer.
For my edification. I build custom kernels, and sign them using
pesign with my own key that I generated locally, and put in the EFI
key
database. I can then boot the custom kernel in secure mode. Couldn't
I
also sign modules if I ever generated them with that same key?
That is, isn't this only an issue if the person doing the kernel
development hasn't generated their own key, and isn't signing their
kernels locally?
To be honest, I don't know. Do all UEFI secure boot implementations
allow you to add your own keys to the list of trusted keys?
Nikolay