On Wed, Jun 19, 2024 at 02:45:33PM +0000, Zbigniew Jędrzejewski-Szmek wrote: > On Mon, Jun 17, 2024 at 12:44:53PM +0100, Aoife Moloney wrote: > > What we're doing this time is using mokutil to create a key for the > > user to self-sign the drivers. When installing the drivers, the user > > is asked to provide a password for the key. On the next reboot the > > user is presented with the mokutil interface to enroll the key. > > It's not clear to me which steps are done once only. > I.e. is the user supposed to self-sign each updated version of the > driver? Is the enrolled MOK key reused for future versions of the > driver too?
The Change page doesn't explain the details of what's done, but my understanding is that the private key corresponding to the enrolled MOK cert will being stored on the system indefinitely. This allows any privileged process to sign any future kmods, from any source. The user might approve this thinking it is just for the nvidia modules, but it allows for anything. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
