On 19/06/2024 17:49, Daniel P. Berrangé wrote:
This allows
any privileged process to sign any future kmods, from any source.

Yes. That's why it is preferable to ship built and signed in Koji kmod packages, but nobody want to do this: neither Fedora nor RPM Fusion.

Without a signature, the kernel module will not be loaded, so we have only two options left:
1. Ask end users to disable UEFI Secure boot completely.
2. Use kmodgenca with akmods.

The second option is better, IMO.

--
Sincerely,
  Vitaly Zaitsev (vit...@easycoding.org)
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to