AlmaLinux is an open-source, free-to-use community rebuild of RHEL 8.X and RHEL 9.X. The non-profit AlmaLinux OS Foundation governs the CentOS alternative Linux distribution. Alma Linux OS Foundation is a community-driven non-profit organization for the community’s benefit. The foundation has signed shim, kernel, and kmods, all of which are included with RHEL and enable SecureBoot and the ability to load kmods when SecureBoot is enabled.
Share your feedback
The shim is already signed and works without OEM/customers adding any keys to the BIOS. Intending to serve the community, the organization now aims to include to ship additional kernels & kernel modules. From this point of view, AlmaLinux technical team is considering starting signing:
- Additional kernels (like kernel for RaspberryPi or the latest mainline kernel)
- Additional kernel modules from AlmaLinux OS Foundation sponsors.
The organization believes such an approach would benefit the entire community. With security in mind, The AlmaLinux OS Foundation is seeking feedback from the AlmaLinux community, as well as the broader Linux community and security professionals. At this moment, the organization wants to focus on kmod signing. You can find some of the conditions that the AlmaLinux technical team considered to require below:
The conditions would be:
- The module should be GPLv2, published to Github/available to all,
- AlmaLinux will publish the signed modules in its main repository, maintaining an additional repository for such module,
- The module can only come from sponsoring members,
- It has to be approved by the AlmaLinux tech committee,
- Additionally, it might require the approval of the board,
- AlmaLinux OS would publish information for all such modules built,
- Require 3rd audit from vetted security audit vendors.
If you have any suggestions or comments, you can share them on AlmaLinux Forum or AlmaLinux Subreddit.