David
UBUniversal Blue
•Created by David on 5/12/2023 in #💾ublue-dev
For example I m still not quite sure
1. No it does not break secure boot. You can still sign closed-source modules.
2. ABSOLUTLY NOT! The Secure Boot signing keys are NOT public. The private key published in the repo is just for testing purposes. The key used for production builds is managed with github secrets and, let me emphasize, NOT PUBLIC.
(I think jorge generated it and obv has access, but no one else)
Also: Immutability is not a protection mechanism! (at least not against evil actors, maybe against your mistake-making self) A leak of the production secure boot keys would be BAD.
Sudo is completly irrelevant, as secure boot is not meant to stop attacks in userspace, but before/during boot.
As for the last point: That is certainly planned and currently the way I do things, and afaik bsherman too.
39 replies
UBUniversal Blue
•Created by David on 5/12/2023 in #💾ublue-dev
For example I m still not quite sure
Also before any new PR gets approved I really need to test the akmods stuff with isogenerator, whether the key enrollment works smoothly in a new install, that should certainly be a requirement
39 replies
UBUniversal Blue
•Created by David on 5/12/2023 in #💾ublue-dev
For example I m still not quite sure
I absolutely agree that the akmods we are talking about all fall under "hardware enablement" and probably should be included in main, but:
1. Do we care about tainted kernels? Not relevant to xone and v4l2loopback, but I think some broadcom stuff taints?
2a. What about people who are already on main and would suddenly get some akmods, whose keys they'd need to enroll, shoved under their butts? ("Beta - deal with it" may be al valid answer)
2b. Luckily thats seems to be solved for new installs from the iso, which auto enrolls keys 🙂
Also: An
extended image is not more work on our end. We build main (without akmods) anyway and then use it to build the akmods, to ensure that kernel versions match. But it may introduce confusion for users.39 replies