Half-OT: Secure boot and thirdy party kernel modules

[Florian Weimer]

On 07/06/2014 07:10 PM, Sergio Belkin wrote:
> So, the question is: Is it worth signing "my own" kernel?

Only if you keep your own key on a sufficiently separated machine, 
otherwise it's equivalent to disabling Secure Boot anyway.

It's also not clear if the Virtualbox kernel modules themselves are 
capable of bypassing Secure Boot, so the entire effort might be futile 
for this reason as well.

Note that Microsoft's current policy may not allow unrestricted 
virtualization (KVM or Virtualbox—does not matter) because that "permits 
launch of another operating system instance after execution of 
unauthenticated code"—the wording is rather unclear.  If Microsoft 
clarifies that this is forbidden, a future Fedora update will remove 
this functionality, so you will be forced to disable Secure Boot at this 
point anyway if you want to continue to use virtualization.

-- 
Florian Weimer / Red Hat Product Security