Half-OT: Secure boot and thirdy party kernel modules
Florian Weimer
fweimer at redhat.com
Mon Jul 7 06:38:40 UTC 2014
On 07/06/2014 07:10 PM, Sergio Belkin wrote:
> So, the question is: Is it worth signing "my own" kernel?
Only if you keep your own key on a sufficiently separated machine,
otherwise it's equivalent to disabling Secure Boot anyway.
It's also not clear if the Virtualbox kernel modules themselves are
capable of bypassing Secure Boot, so the entire effort might be futile
for this reason as well.
Note that Microsoft's current policy may not allow unrestricted
virtualization (KVM or Virtualbox—does not matter) because that "permits
launch of another operating system instance after execution of
unauthenticated code"—the wording is rather unclear. If Microsoft
clarifies that this is forbidden, a future Fedora update will remove
this functionality, so you will be forced to disable Secure Boot at this
point anyway if you want to continue to use virtualization.
--
Florian Weimer / Red Hat Product Security
More information about the devel
mailing list