On Thu, Apr 7, 2022 at 9:27 AM Chris Adams <[email protected]> wrote: > > Once upon a time, Simo Sorce <[email protected]> said: > > Ideally dkms (or whatever) could simply generate a key, sign the module > > and manage to get the public key in the right place so that the module > > can be verified. > > That's not possible, is it? I assume the user has to interact with the > firmware at some point to install a new key. Otherwise, the whole thing > would be a waste of time. >
Yes. DKMS can be told to sign with a key, but the key needs to exist first and be set up in firmware. Automating it requires moving it out of firmware scope and putting it exclusively at the operating system level. This is what Windows has for managing trust for kernel drivers. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
