So if you are developping an out of tree module, you have to tell the user of your hardware to disable secure boot ? Not every out of tree module distributor is a big corp shipping binary blobs. We are making 'custom webcam' and distributing a GPL out of tree module.
With UEFI enabled, it will be easier to ship a closed source signed binary driver for windows, than a open source out of tree module for Linux.
I hope ther will be a mechanism to :
- add a key to the trusted key set of a UEFI firmware
- have a module signed with said key added to a kernel signed with a different key.
Or get a "build farm + review mechanism" that allows you to ship a signed module for a particular distro.
Going mainline is not an option for low volume independent hardware vendor.