On Thu, 15 Dec 2022 11:10:52AM +0000, Luca Boccassi wrote: > On Sat, Dec 10, 2022 at 02:27:12PM +0100, Bastian Blank wrote: >> If we go with the last option we would have also some direct advantages. >> We could stop signing modules with the secure boot key, but use a >> temporary key. This would for a system with signature checking enabled >> effectively trash all possibilities to load modules for a different >> kernel build.
>> What should we do? > +1 on using the ephemeral key from me, those advantages seem to > outweight the drawbacks. It should be possible, in theory, to teach > diffoscope to ignore the embedded ephemeral public key in the kernel > image when comparing builds? Would using a multi-stage module-signing approach[1] help? (if I understand correctly, the embedded certificate material should be static and thus reproducible) [1] - https://www.kernel.org/doc/html/v6.1/kbuild/reproducible-builds.html#module-signing (note: apologies for the lack of an in-reply-to email header on this message. I'm not subscribed to the list but wanted to add a reply, and couldn't figure out how to set that header manually in the email client I'm using)
