On Thu, Apr 7, 2022 at 9:27 AM Chris Adams linux@cmadams.net wrote:
Once upon a time, Simo Sorce simo@redhat.com said:
Ideally dkms (or whatever) could simply generate a key, sign the module and manage to get the public key in the right place so that the module can be verified.
That's not possible, is it? I assume the user has to interact with the firmware at some point to install a new key. Otherwise, the whole thing would be a waste of time.
Yes. DKMS can be told to sign with a key, but the key needs to exist first and be set up in firmware. Automating it requires moving it out of firmware scope and putting it exclusively at the operating system level. This is what Windows has for managing trust for kernel drivers.