I found a few typos that need to be corrected to avoid confusion: 1) /etc/kernel/postint.d should be /etc/kernel/postinst.d
2) The suggested command for the script in the above directory should be /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 /path/to/keys/VBOX.priv /path/to/keys/VBOX.der $(modinfo -n vboxdrv) On Sun, Jul 3, 2016 at 3:18 PM, Kaosu NA <kaosu...@gmail.com> wrote: > I do not see why the developers have chosen to prompt users to disable > secure boot in order to install third-party drivers. While I understand > that Canonical is unable to use their key to sign kernel modules generated > by DKMS, it would be trivial to generate, sign and import a key for select > third-party drivers. For example, it would be easy to package a third-party > driver with a post-installation script to issue the following commands: > > Using VirtualBox as an example: > > # openssl req -new -x509 -newkey rsa:2048 -keyout /path/to/keys/VBOX.priv > -outform DER -out /path/to/keys/VBOX.der -nodes -days 36500 -subj > "/CN=Canonical/" > > # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 > /path/to/keys/VBOX.priv /path/to/keys/VBOX.der $(modinfo -n vboxdrv) > > # mokutil --import /path/to/keys/VBOX.der > > Then all you would need to do is create a script to update the keys every > time there is a kernel upgrade. A script could be created and stored > in /etc/kernel/postint.d with the following commands: > > # /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 VBOX.priv > VBOX.der $(modinfo -n vboxdrv) > > # mokutil --import /path/to/keys/VBOX.der > > Now the user will be able to reboot their machine, enter the password > given when prompted by mokutils to supply one, and follow the on-screen > instructions to import the key. Now users will be able to install > third-party drivers without being forced to disable secure boot. > > I believe this solution is far better than the current approach to > completely disable secure boot when a user tries to install third-party > drivers. Not only will something like this be more user-friendly, but it > also allows a large number of Ubuntu users to take advantage of a modern > security technology without giving up usability. > > Thank you in advance for taking my feedback into consideration. > > > > >
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
