Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 21 Jun 2022 10:41:22 -0700
From: Igor Seletskiy <>
Subject: Request for comment: kmod signing by AlmaLinux OS Foundation

Hello list, I have a security-related question for the Linux community at

AlmaLinux OS is a community rebuild of RHEL 8.x & RHEL 9.x done by the
non-profit AlmaLinux OS Foundation. The foundation is community-driven and
done for the benefit of the community. As part of its service, it has
signed shim, kernel & signs kmods that come as part of RHEL to provide
SecureBoot & ability to load kmods when secure boot is enabled. Note that
our shim is already signed and works without OEM/customers adding any keys
to the BIOS

Yet, the goal of the organization is to serve the community beyond where
RHEL servers, which might include the need to ship additional kernels &
kernel modules.

AlmaLinux technical team is considering starting signing:

1. Additional kernels (like kernel for RaspberryPi or the latest mainline

2. Additional kernel modules from AlmaLinux OS Foundation sponsors.

We believe that such an approach might benefit the community as a whole.
Yet, we are mindful of security implications and want to ask for feedback
from the AlmaLinux community, the broader Linux community, as well as from
security experts.

At this moment we want to focus on kmod signing. Here are some of the
conditions that the AlmaLinux technical team considers to require

*The conditions would be: *1. The module should be GPLv2, published to
Github/available to all 2. AlmaLinux will publish the signed modules in its
main repository, maintaining an additional repository for such module 3.
The module can only come from sponsoring members 4. It has to be approved
by the AlmaLinux tech committee 5. Additionally, it might require the
approval of the board. 6. AlmaLinux OS would publish information for all
such modules built. 7. Require 3rd audit from vetted security audit vendors
(optional? how to deal with security issues/need for quick release
turnaround for security-related vulnerabilities/changes?)

We would appreciate feedback from the community.

Igor Seletskiy @ AlmaLinux OS Foundation

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.