On Feb 22, 2016 6:33 AM, "Bastien Nocera" <bnocera@redhat.com> wrote:
>
>
>
> ----- Original Message -----
> > Josh Boyer wrote:
> > > If you are creating a cert to sign the out-of-tree modules and expect
> > > it to be accepted by the kernel, it cannot be ephemeral.  A user would
> > > need someway to import it into their kernel or have it passed from
> > > grub.  The only way to do so is to have it embedded in shim or the
> > > kernel during the build of those binaries.  I do not foresee Fedora
> > > creating yet another persistent key to sign things with, which means
> > > you would need another tool that can use the existing key in the
> > > kernel builders.
> >
> > That just proves that Restricted Boot and especially our implementation of
> > it (requiring kernel modules to be signed) is a very bad thing.
>
> How do you expect to be able to ensure that the kernel only loads "known good"
> modules if you can insert random modules that might subvert SecureBoot and
> all that it allows to secure?

I still find it confusing that Fedora will let you do anything you want in userspace but will not let you load your own kernel module.  This may or may not be required by MS and/or UEFI Forum rules (I honestly have no idea, and I recall that jejb was going to discuss this at some point but I don't think it ever happened).  Regardless, I don't see a credible widely-applicable threat model under which this is useful.

Would Fedora be permitted to simply drop the signed module requirement?

ISTM a genuinely useful approach might be to forcibly extend some PCR and maybe blank out some keyrings if an unsigned module is loaded.

--Andy