On Mon, 2016-04-04 at 22:20 -0700, Jose R R wrote: > Thus, in practice it means that an out of Linux source tree module, > like Reiser4, will be a reason for Debian-Installer (d-i) to baulk at > install? If Secure Boot is enabled, all unsigned modules will be rejected by the kernel. But this is better than the current state where we don't boot at all - only those users that need or want OOT modules will need to disable it. Debian could apply a similar signing procedure to binary packages of OOT modules - if they're in the archive. Unofficial and non-free packages will surely not be signed by Debian. I intend to look at and maybe include (depending on how invasive it is) David Howells' patchset, included in Red Hat distributions, that allows the kernel to load trusted certificates from EFI variables. That would allow users to enrol trusted certificates for other OOT modules in the boot loader (shim). Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot
Attachment:
signature.asc
Description: This is a digitally signed message part