If you are interested in building alternate kernel packages or kernel module packages for Fedora, or if you’re interested in testing alternate kernels or kernel modules on Fedora, let’s collaborate.

The Problem: Fedora Works Well Unless You Need Out-of-Tree Drivers

When browsing user forums, one of the most frequently described problems is a blank screen on boot. The causes vary:

• Users haven’t followed all documented installation steps
• The system rebooted before the invisible background process of building the display driver module completed
• The build failed silently with no indication to the user why (perhaps disk space ran out)

Whatever the specific cause, this is one of the top reasons Fedora is often not rated as a “beginner-friendly” distribution.

Fedora’s policies prohibit alternate kernels and packaging kernel modules. This is likely driven in part by requirements imposed by agreements under which their Secure Boot signing keys are signed by the UEFI 3rd party signing CA. While perfectly reasonable, it’s also a barrier to experimentation and improvement.

The Case for Pre-Built Kernel Modules

As an SRE, I believe that reliable systems build code, test the build, and then deploy the tested build. Systems like akmods and DKMS deploy the code first, then build it in place and “test in prod.” Such systems will inevitably fail regularly.

While the Nova driver will eventually resolve this problem for most NVIDIA users, there will continue to be users who want out-of-tree drivers for ZFS, VirtualBox, WiFi drivers that haven’t merged yet, etc.

Fedora users need pre-built kernel modules for a reliable experience.

Ready-to-Run Signing Infrastructure

There’s no shortage of information about how to sign code with pesign, but guides aren’t always easy to use. Some don’t work on contemporary releases. Some are hardware specific.

The best way to promote a process is to make it as easy as possible. If a process can simply be “fork and build”, it’s much more likely to be adopted and deployed.

Project Resistor has developed a Terraform project that you can fork and build to deploy a VPC in AWS where a Forgejo runner has access to an HSM with code signing certificates. Users who install the signing certificate in their MOK can use kernels and kernel modules produced on this infrastructure.

Available Resources

Starting points for further development:

• Infrastructure: https://codeberg.org/project-resistor-kernel/signed-code-build-stack
• Kernel releases: https://codeberg.org/project-resistor-kernel/kernel-longterm/releases
• NVIDIA module: https://codeberg.org/project-resistor-kernel/nvidia-open-kmod/releases
• Yum repository: https://codeberg.org/project-resistor-kernel/kernel-longterm-yumrepo
• Copr: https://copr.fedorainfracloud.org/coprs/gordonmessmer/kernel-longterm-6.18-plus/
• Atomic desktop config: https://pagure.io/fork/gordonmessmer/workstation-ostree-config
• Container image: https://quay.io/repository/gordonmessmer/atomic-desktop/silverblue

If you’ve installed an Atomic desktop, you can try the Fedora Remix:

sudo rpm-ostree rebase ostree-unverified-image:registry:quay.io/gordonmessmar/atomic-desktop/silverblue:43.20260411.0

Reference Guides to Signing Code for Secure Boot

• Peter Jones’ Smart Card Deployment
• Fedora Infrastructure Playbooks
• Red Hat Kernel Signing Documentation
• AlmaLinux Secure Boot Setup
• Building Fedora RPMs with pesign
• Signing with YubiHSM 2
• EDK II UEFI Signing Documentation

Motivation

One of the reasons that other systems are often recommended to new users is that the software required to support common devices is harder to set up and more troublesome to maintain on Fedora.

The current approach using DKMS/akmods has inherent reliability issues. With an SRE background, software should follow a build→test→deploy sequence, but installation from source (as in DKMS/akmods) follows deploy→build→test. If the build process is disrupted (power loss, reboot during silent background build, running out of disk space), or if tests fail, recovery options are limited because the software has already been deployed.

Moreover, Secure Boot presents challenges. While systems exist to support local builds with Secure Boot enabled, they require the signing key to be on the host and usable by automated processes. If your package manager can build and sign kernel modules, then a rootkit can do the same thing—defeating the purpose of Secure Boot.

Project Goals

We want:

• A system that can build and sign code for use with Secure Boot
• Using an HSM so that the signing key cannot be exfiltrated
• Providing transparency logs so that the key cannot be quietly misused
• On infrastructure that can be readily forked, deployed, discussed, and improved

The Challenge: Securing Code Signing in CI/CD

Code signing proves that binaries haven’t been tampered with and come from a trusted source. But traditional signing has a critical vulnerability: the private key must exist somewhere, and wherever it exists, it can potentially be stolen.

This project tackles that problem by building infrastructure where:

• Keys cannot be exfiltrated
• Keys cannot be used by unauthorized repositories
• Every signing operation is transparent and auditable

The Solution: Hardware-Backed Signing with Public Transparency

The architecture uses AWS KMS (Key Management Service) asymmetric keys—RSA-4096 keys backed by FIPS 140-2 Level 2 validated hardware security modules (HSMs). The private key material never leaves the HSM boundary. Ever. Not in memory, not on disk, not over the network.

Core Security Properties

1. Key Exfiltration is Cryptographically Impossible

Unlike traditional signing where a private key file exists on disk (even if encrypted), AWS KMS keys exist only within HSM boundaries:

• The private key is generated inside the HSM
• All signing operations happen inside the HSM
• The private key material is never exposed in plaintext
• Even AWS administrators cannot extract the key
• The key can be used only via authenticated AWS API calls

This means an attacker who fully compromises a build runner gets nothing. No key file to steal. No memory to dump. No credentials that grant signing access outside the controlled environment.

2. Cryptographic Transparency Logs

Every signing operation is automatically logged to a public S3 bucket via a Lambda function that processes CloudTrail events:

{
  "version": "1.0",
  "timestamp": "2024-01-15T12:00:00Z",
  "kms_key_id": "arn:aws:kms:us-east-1:...:key/...",
  "signing_algorithm": "RSASSA_PKCS1_V1_5_SHA_256",
  "message_digest_sha256": "abc123...",
  "signature_base64": "def456...",
  "record_hash": "789ghi..."
}

These logs provide:

• Public auditability: Anyone can verify what was signed and when
• Non-repudiation: The signature proves the key owner signed the digest
• Tamper evidence: S3 versioning ensures logs cannot be silently modified
• Cryptographic proof: Each log includes the signature that can be verified with the public key

The Architecture: Defense in Depth

The system implements multiple security layers:

Network Isolation

Runners operate in a public subnet with security groups that block all inbound traffic. The runner pulls CI jobs and pushes artifacts.

VPC endpoints keep AWS service traffic within the AWS network:

• S3 endpoint: No data transfer charges, private S3 access
• KMS endpoint: KMS operations never traverse the public internet
• Secrets Manager endpoint: Runner tokens retrieved privately
• CloudWatch Logs endpoint: Monitoring traffic stays private

IAM Least Privilege

Each runner has a dedicated IAM role with minimal permissions to call kms:Sign, retrieve the public key, write to transparency logs, and read runner tokens from Secrets Manager.

Immutable Audit Trail

Multiple overlapping audit systems ensure complete accountability:

1. CloudTrail: Logs every KMS API call with AWS identity, IP, timestamp
2. CloudWatch Logs: Real-time streaming of signing operations
3. S3 Transparency Logs: Public, versioned, immutable records
4. S3 Access Logs: Track who reads the transparency logs
5. Lambda Execution Logs: Record transparency log publication

Building Trust Through Transparency

This infrastructure shifts the trust model from “trust that the key is secure” to:

• Trust the cryptographic impossibility of extracting KMS keys
• Trust the mathematical proof of signatures verified by public keys
• Trust the audit trail in public transparency logs
• Trust the infrastructure-as-code that can be reviewed and reproduced

The security doesn’t depend on secrecy. The entire architecture is public—the repository, the transparency logs, the public keys. Security comes from cryptographic properties and defense in depth.

Resources

• Infrastructure Repository: https://codeberg.org/project-resistor-kernel/signed-code-build-stack
• Copr Packages: https://copr.fedorainfracloud.org/coprs/gordonmessmer/aws-kms-pkcs11/
• Kernel Repository: https://codeberg.org/project-resistor-kernel/kernel-longterm-6.12-plus