On Wed, Apr 6, 2022 at 4:09 PM Demi Marie Obenour demiobenour@gmail.com wrote:
On 4/6/22 06:43, Neal Gompa wrote:
On Wed, Apr 6, 2022 at 12:04 AM Gary Buhrmaster gary.buhrmaster@gmail.com wrote:
On Wed, Apr 6, 2022 at 12:59 AM Demi Marie Obenour demiobenour@gmail.com wrote:
On 4/5/22 19:38, Chris Murphy wrote:
We either want users with NVIDIA hardware to be inside the Secure Boot fold or we don't. I want them in the fold *despite* the driver that needs signing is proprietary. That's a better user experience across the board, including the security messaging is made consistent. The existing policy serves no good at all and is double talk. If we really care about security more than ideological worry, we'd sign the driver.
I agree with this. Sign the driver.
Nvidia has their driver signed for their Windows drivers. That they choose not to do so for Linux is their right, even if some wish they did.
It should be noted that while many might wish nvidia chose a different way, that is completely orthogonal to bios vs uefi.
Linux, like Windows, requires the distribution vendor to sign modules for automatic trust. There are a number of complicated issues that make it difficult for us to sign this particular driver, though. Notably, NVIDIA themselves acknowledges that it infringes on the GPL to redistribute built kernel module blobs of nvidia.ko[1], so that means any method of signing it needs to be done locally, which means we *need* the local signing path to be improved.
Can we get NVIDIA to make the module build reproducible? If so, we could distribute a detached signature.
Outside of RHEL (which they already do this for), it is not technically feasible to do so. The mainline Linux kernel lacks a kABI and symbol churn happens constantly. The modules have to be built completely from source every time, dealing with kernel churn making the resulting files different every time.