RE: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot
From: David Laight
Date: Thu Aug 16 2018 - 12:55:27 EST
From: James Bottomley
> Sent: 16 August 2018 16:57
> On Thu, 2018-08-16 at 16:49 +0100, David Howells wrote:
> > James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:
> >
> > > > The problem with that is that it means you can't load third party
> > > > modules - such as the NVidia driver.ÂÂThat's fine if you
> > > > absolutely reject the right of people to produce third party
> > > > drivers for the Linux kernel and absolutely require that they
> > > > open and upstream their code if they want in.
> > >
> > > So if you build your own kernel and want to load the nVidia module,
> > > you have the key to sign it.
> >
> > I think you have to assume that doing this is beyond most people.
>
> As a step by step process, I agree. However, I think we can automate
> it to the point where you install a package and it says "insert your
> yubikey" every time you upgrade the kernel
What about 3rd parties that want to release drivers that can be loaded
into 'distribution' kernels?
We can do that for windows (provided we've paid the 'driver signing tax')
because windows has a stable kernel DDI/DKI.
For Linux we have to release most of the driver as a binary 'blob' and
compile wrapper code on the target system with the correct kernel headers.
There is no way we could generate signed copies for every 'distribution'
kernel - even if there was a way to get them signed.
Even if we agreed to make our source code available it wouldn't be
accepted for inclusion in the kernel source tree.
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)