Could this feature work with 3rd party kernel modules, in a UEFI
Secure Boot (and thus kernel lockdown) context?
Workstation working group is tracking this problem as
https://pagure.io/fedora-workstation/issue/155
If DIGLIM could be used for this use case, I further wonder whether
it's possible to have multiple signatures for different portions of a
kernel module? The purpose, is so NVIDIA can sign their proprietary
binary blob (because it's theirs, no one else's, and therefore they
should sign it). Next,either (a) Fedora (b) RPM Fusion (c) the user,
can sign the remainder of the kernel module (the parts that are open
source anyway). It's an open question who could or should sign
NVIDIA's key, to narrowly indicate trust. And also a mechanism for
revoking that trust without breaking everything else.
--
Chris Murphy