On Thu, Apr 7, 2022 at 9:27 AM Chris Adams <linux(a)cmadams.net> wrote:
Once upon a time, Simo Sorce <simo(a)redhat.com> said:
> Ideally dkms (or whatever) could simply generate a key, sign the module
> and manage to get the public key in the right place so that the module
> can be verified.
That's not possible, is it? I assume the user has to interact with the
firmware at some point to install a new key. Otherwise, the whole thing
would be a waste of time.
Yes. DKMS can be told to sign with a key, but the key needs to exist
first and be set up in firmware. Automating it requires moving it out
of firmware scope and putting it exclusively at the operating system
level. This is what Windows has for managing trust for kernel drivers.
--
真実はいつも一つ!/ Always, there's only one truth!