Half-OT: Secure boot and thirdy party kernel modules
Petr Pisar
ppisar at redhat.com
Tue Jul 8 08:19:07 UTC 2014
On 2014-07-07, Florian Weimer <fweimer at redhat.com> wrote:
> Note that Microsoft's current policy may not allow unrestricted
> virtualization (KVM or Virtualbox—does not matter) because that "permits
> launch of another operating system instance after execution of
> unauthenticated code"—the wording is rather unclear. If Microsoft
> clarifies that this is forbidden, a future Fedora update will remove
> this functionality, so you will be forced to disable Secure Boot at this
> point anyway if you want to continue to use virtualization.
>
Could you elaborate more what "unauthenticated code" is in this case? Is
it a userspace tool for controlling in-kernel virtualization (e.g. qemu
in case of KVM)? Because KVM as a kernel module is signed.
If so, what if user uses pure user-space emulation (e.g. qemu). Either
that imposes user space executables have to be signed too, or the
unclarified statement lacks any meaningful purpose.
-- Petr
More information about the devel
mailing list