On 01/22/2016 11:11 AM, John R Pierce wrote:
if you can insert a custom Machine Owner Key into this keyring, then anyone with sufficient ingenuity can, too. which renders the whole signature thing moot, other than as another step to be cracked.
I'm not sure you understand mokutil. You do know that in order to enroll a key you must be physically present at the console before the kernel boots, right? In order to enroll a key, you must have admin access in the OS, and physical access to the hardware.
Outside of an immutable key database, I think that's nearly as secure as it's possible to get.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
