On Thu, Jan 14, 2016 at 2:00 PM, Josh Boyer <jwboyer(a)fedoraproject.org> wrote:
On Thu, Jan 14, 2016 at 1:54 PM, Neal Gompa
<ngompa13(a)gmail.com> wrote:
> On Thu, Jan 14, 2016 at 1:49 PM, Samuel Sieb <samuel(a)sieb.net> wrote:
>> On 01/14/2016 07:56 AM, Neal Gompa wrote:
>>>
>>> Aside from the DNF issue, is there anything else I'm missing in
>>> relation to kmods in Fedora?
>>>
>> If you have secure boot, you have to go through the process to sign the
>> kernel modules you build and register the key with the boot system.
>
> That would be something our build system (Koji, etc.) would handle if
> we allowed them again, right? After all, I believe Koji handles our
> kernel signing, too.
No, it would not.
The kernel modules are signed with an ephemeral cert as part of the
kernel build process. They are not signed with the Fedora cert used
for Secure Boot. The vmlinuz and grub2 binaries are signed with the
Secure Boot cert. The tool that does the signing only works with
PECoff binaries and the kernel modules are not PECoff.
So no, the build system does not support signing modules outside of
the normal kernel build.
So that would mean in order to make kernel modules build to work
outside of the kernel build process, we would need a way to add more
certs that would be accepted by the kernel and grub, right? I assume
you'd want to do the ephemeral cert process for kmod builds too?
--
真実はいつも一つ!/ Always, there's only one truth!