27 Jun
2022
27 Jun
'22
1:34 p.m.
On Mon, Jun 27, 2022 at 1:56 AM Florian Weimer fweimer@redhat.com wrote:
- Neal Gompa:
I treat Secure Boot purely as a compatibility interface. We need to do just enough to get through the secure boot environment.
Right. It's not even clear to me why we enforce kernel module signatures in Secure Boot mode, and disable a few other kernel features.
If users can load arbitrary unsigned kernel modules or hibernation images, it silently circumvents UEFI Secure Boot. I agree this is a frustrating paradigm for users who want certain features like using 3rd party modules with a Fedora kernel, or using locked down kernel features, but I'm not sure what the alternative is.
--
Chris Murphy