Request for comment: kmod signing by AlmaLinux OS Foundation

AlmaLinux OS is a community rebuild of RHEL 8.x & RHEL 9.x done by the non-profit AlmaLinux OS Foundation. The foundation is community-driven and done for the benefit of the community. As part of its service, it has signed shim, kernel & signs kmods that come as part of RHEL to provide SecureBoot & ability to load kmods when secure boot is enabled. Note that our shim is already signed and works without OEM/customers adding any keys to the BIOS

Yet, the goal of the organization is to serve the community beyond where RHEL servers, which might include the need to ship additional kernels & kernel modules.

AlmaLinux technical team is considering starting signing:

  1. Additional kernels (like kernel for RaspberryPi or the latest mainline kernel)
  2. Additional kernel modules from AlmaLinux OS Foundation sponsors.

We believe that such an approach might benefit the community as a whole. Yet, we are mindful of security implications and want to ask for feedback from the AlmaLinux community, the broader Linux community, as well as from security experts.

At this moment we want to focus on kmod signing. Here are some of the conditions that the AlmaLinux technical team considers to require

The conditions would be:

  1. The module should be GPLv2, published to Github/available to all
  2. AlmaLinux will publish the signed modules in its main repository, maintaining an additional repository for such module
  3. The module can only come from sponsoring members
  4. It has to be approved by the AlmaLinux tech committee
  5. Additionally, it might require the approval of the board.
  6. AlmaLinux OS would publish information for all such modules built.
  7. Require 3rd audit from vetted security audit vendors (optional? how to deal with security issues/need for quick release turnaround for security-related vulnerabilities/changes?)

We would appreciate feedback from the community.