On Wed, Apr 6, 2022 at 4:09 PM Demi Marie Obenour
<demiobenour(a)gmail.com> wrote:
>
> On 4/6/22 06:43, Neal Gompa wrote:
>> On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster
>> <gary.buhrmaster(a)gmail.com> wrote:
>>>
>>> On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour
>>> <demiobenour(a)gmail.com> wrote:
>>>>
>>>> On 4/5/22 19:38, Chris Murphy wrote:
>>>>> We either want users with NVIDIA hardware to be inside the Secure
Boot
>>>>> fold or we don't. I want them in the fold *despite* the driver
that
>>>>> needs signing is proprietary. That's a better user experience
across
>>>>> the board, including the security messaging is made consistent. The
>>>>> existing policy serves no good at all and is double talk. If we
really
>>>>> care about security more than ideological worry, we'd sign the
driver.
>>>>
>>>> I agree with this. Sign the driver.
>>>
>>> Nvidia has their driver signed for their
>>> Windows drivers. That they choose
>>> not to do so for Linux is their right,
>>> even if some wish they did.
>>>
>>> It should be noted that while many
>>> might wish nvidia chose a different
>>> way, that is completely orthogonal
>>> to bios vs uefi.
>>
>> Linux, like Windows, requires the distribution vendor to sign modules
>> for automatic trust. There are a number of complicated issues that
>> make it difficult for us to sign this particular driver, though.
>> Notably, NVIDIA themselves acknowledges that it infringes on the GPL
>> to redistribute built kernel module blobs of nvidia.ko[1], so that means
>> any method of signing it needs to be done locally, which means we
>> *need* the local signing path to be improved.
>>
>> [1]:
https://imgur.com/LUCQ3WW
>
> Can we get NVIDIA to make the module build reproducible? If so, we
> could distribute a detached signature.
>
Outside of RHEL (which they already do this for), it is not
technically feasible to do so. The mainline Linux kernel lacks a kABI
and symbol churn happens constantly. The modules have to be built
completely from source every time, dealing with kernel churn making
the resulting files different every time.
Are they different *per-user*, or only *per-kernel-version*?
If the latter, one could create signatures for every (driver version,
kernel version) combo.
--
Sincerely,
Demi Marie Obenour (she/her/hers)