Re: kernel unsigned

To: Steve McIntyre <steve@einval.com>
Cc: debian-user@lists.debian.org
Subject: Re: kernel unsigned
From: Étienne Mollier <etienne.mollier@mailoo.org>
Date: Sat, 5 Oct 2019 11:56:51 +0200
Message-id: <[🔎] e6bb02e4-d7a2-b9d8-2c45-0c03ae77da11@mailoo.org>
In-reply-to: <[🔎] E1iGXV6-0005yB-BW@mail.einval.com>
References: <[🔎] 20191003100558.GA4913@mauritiusGA> <[🔎] 87pnje9elq.fsf@turtle.gmx.de> <[🔎] 20191003144400.GA4194@mauritiusGA> <[🔎] qn5h7b$67l2$1@blaine.gmane.org> <[🔎] qn5h7b$67l2$1@blaine.gmane.org> <[🔎] E1iGXV6-0005yB-BW@mail.einval.com>

On 05/10/2019 02.00, Steve McIntyre wrote:
> etienne.mollier@mailoo.org wrote:
>> deloptes, on 2019-10-03:
>>> Gerard ROBIN wrote:
>>>
>>>>> What exactly bugs you about the signed kernel?  The kernel is so big
>>>>> that the extra signatures hardly make a difference.
>>>> I read somewhere that the signed kernel was for the "secure boot" of
>>>> microsoft and I have nothing of microsoft on my machine, so that's why
>>>> I installed the unsigned kernel.
>>>
>>> does someone know if signed is needed for UEFI to work properly in some
>>> configurations?
>>
>> Good day deloptes,
>>
>> I don't know if someone else hit some other corner base, but
>> signed kernels, bootloaders, drivers, and the like are only
>> required if one wishes to, or has to, boot with UEFI Secure Boot
>> enabled.  That's the only configuration I can think of where it
>> would be needed.
> 
> It's only *needed* if you're doing SB, but even if you have SB
> disabled there is basically no downside to having the signed packages
> installed. Things will work just fine, just taking a *tiny* bit more
> disk space. Hence we've defaulted to doing things that way - everybody
> will get a consistent set of packages that way.
> 

Good Day Steve,

Don't get me wrong, I merely answered the question from deloptes
in somewhat dry mathematical terms.  Maybe it would have been
welcome that I add that, even if the signature is present, it
does no harm outside SB context.  Debian's unsigned components
work almost everywhere except in SB context, while Debian's
signed elements do work almost everywhere, /including/ in SB
context.  So the second case makes absolute sense as being the
default in Debian.

SB support is a new, most welcome, capability that landed in
Debian Buster, and I'm thankful for it made it there.  There may
still be a few rough edges for the newcomer, like Linux kernel's
lockdown mode, while it comes to loading proprietary drivers
indeed, but as far as I could see, it just works®.

Thank You!  :)
-- 
Étienne Mollier <etienne.mollier@mailoo.org>
Fingerprint:  5ab1 4edf 63bb ccff 8b54  2fa9 59da 56fe fff3 882d

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- kernel unsigned
  - From: Gerard ROBIN <g.robin3@free.fr>
- Re: kernel unsigned
  - From: Sven Joachim <svenjoac@gmx.de>
- Re: kernel unsigned
  - From: Gerard ROBIN <g.robin3@free.fr>
- Re: kernel unsigned
  - From: deloptes <deloptes@gmail.com>
- Re: kernel unsigned
  - From: Steve McIntyre <steve@einval.com>

Prev by Date: Re: disk going bad? or fuser related issues? . . .
Next by Date: Re: Email based attack on University
Previous by thread: Re: kernel unsigned
Next by thread: Re: kernel unsigned
Index(es):
- Date
- Thread