On Thu, Jan 14, 2016 at 1:54 PM, Neal Gompa <ngomp...@gmail.com> wrote: > On Thu, Jan 14, 2016 at 1:49 PM, Samuel Sieb <sam...@sieb.net> wrote: >> On 01/14/2016 07:56 AM, Neal Gompa wrote: >>> >>> Aside from the DNF issue, is there anything else I'm missing in >>> relation to kmods in Fedora? >>> >> If you have secure boot, you have to go through the process to sign the >> kernel modules you build and register the key with the boot system. > > That would be something our build system (Koji, etc.) would handle if > we allowed them again, right? After all, I believe Koji handles our > kernel signing, too.
No, it would not. The kernel modules are signed with an ephemeral cert as part of the kernel build process. They are not signed with the Fedora cert used for Secure Boot. The vmlinuz and grub2 binaries are signed with the Secure Boot cert. The tool that does the signing only works with PECoff binaries and the kernel modules are not PECoff. So no, the build system does not support signing modules outside of the normal kernel build. josh -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
