undefined | Better HN

0 pointsabelsson2y ago0 comments

That’s fine, assuming we pass laws mandating that signing keys can be controlled by end users. Otherwise we end up where no-one really owns their devices any more, every device would be merely temporarily rented.

0 comments

420official2y ago

How could that work? A consumer would be required to build the firmware and flash it to the product themselves?

abelssonOP2y ago

Of course not. Having the ability to add or modify root CAs in browsers doesn’t imply a requirement to sign every webpage yourself either.

westurner2y ago

NVIDIA GPU Linux kernel modules must be self-signed to work with SecureBoot enabled; they must be self-signed every time they're updated by an akmod package upgrade.

So, it is necessary to remove the MS SecureBoot ~CApubkey and add the OS and local ~CApubkeys to the SecureBoot cert list with BIOS, and re-sign every module install|&build in order to work with NVIDIA (and probably also AMD?) in containers.

It's necessary and a fair expectation that users will continue to be able to remove and add x86-64 SecureBoot bootloader signing keys.

j / k navigate · click thread line to collapse