From da3daef753cebc997f966d70079416f153cb4b1f Mon Sep 17 00:00:00 2001 From: Nate Graham Date: Tue, 19 May 2026 10:40:36 -0600 Subject: [PATCH] Stop including out-of-tree kernel modules This presents some practical problems: - We'll almost certainly fail shim review and therefore won't be able to have secure boot - Pre-installing these modules taints our kernel, which will be problematic for engagement with upstream - These modules can be fragile (see for example https://invent.kde.org/kde-linux/kde-linux/-/work_items/618) - Including these modules broadens the attack surface, worsening security. As nice as it is to have an "everything and the kitchen sink" approach to hardware support via these out-of-tree kernel modules, I think the drawbacks to the project as a whole and all of its users outweigh the benefits to the specific people who benefit here. Fixes #618 --- mkosi.conf.d/00-packages-core.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/mkosi.conf.d/00-packages-core.conf b/mkosi.conf.d/00-packages-core.conf index bee10df..5798797 100644 --- a/mkosi.conf.d/00-packages-core.conf +++ b/mkosi.conf.d/00-packages-core.conf @@ -59,7 +59,6 @@ Packages= ccid # Generic USB CCID/ICCD card readers fprintd # Fingerprint authentication iio-sensor-proxy # Auto-rotation - linux-apfs-rw-dkms # Experimental APFS kernel module with Write support linux-firmware-marvell # Firmware files for marvell products lvm2 # Logical Volume Manager 2 support pam-u2f # 2nd factor PAM support for Yubikey hardware authenticators